For issues related to security within this project, please do NOT create an issue or disclose publicly without first contacting maintainers.
We are committed to quick response times and responsible disclosure of vulnerabilities. If we do not respond within 24 hours, please feel free to aggressively badger us via any means necessary. If we let things go for more than 48 hours, publicly shame us (because we will already have private shame for not responding).
The preferred method for vulnerability reporting is via the Security
tab of the
associated repository.
Not only will this allow you to privately report a vulnerability, but you can also create a private fork to allow easy collaboration with us on a fix.
You can read more about this feature in GitHub's code security docs1.
Note: This feature is currently in beta and is subject to change.
If you are unable to report a vulnerability via the Security
tab, the team can
be contacted via email at [email protected].