We take the security of our software libraries seriously, which includes all source code repositories managed through our GitHub organization.
If you believe you have found a security vulnerability, please report it to us as described below.
Please note that as a non-commercial, Open Source project we are not able to pay bounties at the moment.
Important
Please do not report security vulnerabilities through public GitHub issues.
Instead, please click "Report a vulnerability" button to open an advisory on GitHub, or send an email to [email protected].
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue.
- Type of issue.
- Full paths of related source files.
- Location of the affected source code (repo, branch or commit).
- Any special configuration required to reproduce the issue.
- Step-by-step instructions to reproduce the issue.
- Impact of the issue, including how an attacker might exploit it.
- Proof-of-concept or exploit code (if possible).
This information will help us triage your report more quickly.
-
- ๐๏ธ We will acknowledge your report as soon as possible.
-
- ๐ต๏ธ We will research and update the issue with relevant information.
-
- ๐ Once the vulnerability can be confirmed, we will take immediate action.
- ๐๏ธ Otherwise, we will close the security advisory and no further action will be taken.
-
- ๐ง We will work on a fix privately.
- ๐คซ In the meantime, please keep the issue confidential.
-
- ๐ฆ We will release new versions of all affected libraries.
-
- ๐ข Finally, we will publish the security advisory, disclosing the vulnerability and the possible exploits.
Thanks for helping make our software safe for everyone!