We take security seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them using GitHub's Security Advisory feature:
- Go to the repository's "Security" tab
- Click "Report a vulnerability"
- Fill in the details of the vulnerability
- Submit the report
Please include the following information in your report:
- Type of issue (e.g., credential exposure, arbitrary code execution, etc.)
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- We will acknowledge receipt of your vulnerability report within 3 business days
- We will provide a more detailed response within 7 business days indicating the next steps
- We will keep you informed of the progress towards a fix and full announcement
- We may ask for additional information or guidance
When we receive a security bug report, we will:
- Confirm the problem and determine affected versions
- Audit code to find similar problems
- Prepare fixes for all supported versions
- Release new versions as soon as possible
- Publish a security advisory on GitHub