Please do NOT open a public issue to report a security vulnerability.
Instead, use GitHub's private vulnerability reporting to submit your report directly. This keeps the details confidential while we work on a fix.
If the vulnerability is in a specific repository (e.g. zaparoo-app, go-pn532), please report it through that repository's Security tab and "Report a vulnerability" instead.
- Steps to reproduce the vulnerability
- Affected version(s) and platform(s)
- Impact assessment (what an attacker could achieve)
- Any proof-of-concept code, if available
We accept vulnerability reports for the latest stable release and the current development branch (main). Older releases are not supported with security patches, users should update to the latest version.
- Acknowledgement: within 3 business days
- Initial assessment: within 7 business days
- Fix or mitigation: depends on severity, but we aim for 30 days for critical issues
We follow coordinated disclosure. Once a fix is available, we will:
- Release a patched version
- Publish a GitHub Security Advisory with full details
- Credit the reporter (unless they prefer to remain anonymous)
We ask that reporters do not disclose the vulnerability publicly until a fix has been released. If you have not received a response within 14 days, you may follow up on your original report.