If you believe you have discovered a vulnerability in this project, please report it through responsible disclosure.
Please do NOT use a GitHub Issue, Discussion, Pull Request, or Public Forum.
Reports are accepted via:
- Report a Vulnerability via GitHub Private Disclosure. Please select the "Security" tab to begin this process.
- Reach out via Discord to @xCykrix (me) directly to report an issue. You can find the Discord Server Link via the "Issues" tab.
When submitting a Vulnerability Report, please include as much relevant information as possible:
- The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting).
- Impacted version(s) of the project.
- Impact of the issue, including how an attacker might exploit the issue.
- The location of the affected source code (tag/branch/commit or direct URL).
- Step-by-step instructions to reproduce the issue.
- Any special configuration required to reproduce the issue (if applicable).
- Any log files that are related to this issue (if possible).
- Proof-of-concept or exploit code (if possible).
You will never share too much information to us.
Once reviewed, the clock begins for us. We will begin to validate the submission, assess the impact, and release a timeline of resolution and disclosure. Below is the general guidelines of this process:
- Maintainers will acknowledge the submission and validate the claim. Process date starts at acknowledgement.
- Maintainers will research the scope, impact, and severity of the claim.
- Maintainers will begin work on analysis and possible mitigation of the reported issue.
- Maintainers will release an update addressing the issue; if applicable.
- Maintainers will release a statement and update the disclosure based on analysis, mitigation, and how/if it was addressed.
- Maintainers will publish the disclosure to the public after post-processing is completed.
- When a fix is deployed, a disclosure will be published within 5 week days or 30 days of the initial submission process date; whichever is earliest.
- If a vulnerability exists and it not yet patched, a disclosure will be published within 30 days of submission processing unless mutually agreed upon to extend the disclosure window.