We take security seriously and appreciate responsible disclosures.
- Preferred: Use GitHub’s “Report a vulnerability” (Security Advisories) for this repository.
- Alternate: Email [email protected] with details (steps to reproduce, impact, affected versions/commit).
Please avoid posting sensitive details in public issues or PRs.
- Acknowledge receipt of your report within 7 days.
- Target fix/patch within 90 days, sooner for high-severity issues.
- We may request coordination on public disclosure to protect downstream users.
Reports are in scope if they demonstrate a security impact in this repository’s code or build/release artifacts (e.g., RCE, privilege escalation, sensitive data exposure, supply-chain concerns). Social engineering and purely theoretical issues without a plausible exploit path are typically out of scope.
We will not pursue legal action for good-faith, non-disruptive research that:
- Respects privacy and does not exfiltrate more data than necessary for proof.
- Avoids service degradation or data destruction.
- Respects rate limits and only tests against your own instances/environments unless explicitly authorized.
Thank you for helping keep users safe.