Please do not report security vulnerabilities via public GitHub issues.
Use GitHub's built-in private reporting:
- Go to the Security tab of the affected repository
- Click "Report a vulnerability"
- Fill in the details
This keeps the report private and within GitHub, and allows coordinated disclosure.
- Address: [email protected]
- Subject:
[SECURITY] <repo-name> — Brief description
What to include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgement: Within 48 hours
- Assessment: Within 1 week
- Fix timeline: Depends on severity — critical issues within 30 days where possible
| Version | Supported |
|---|---|
| Latest release | ✅ |
| Previous minor | ✅ |
| Older versions | ❌ |
We follow coordinated disclosure. We ask that you:
- Give us reasonable time to address the issue before public disclosure
- Make a good faith effort to avoid privacy violations, data destruction, or service disruption
- Do not access or modify other users' data
We will credit reporters who follow responsible disclosure practices.