We accept vulnerability reports for the main branch and the most recent tagged releases. Older versions may not receive security updates.
- Please report vulnerabilities privately using the repository's Security Advisories (Security tab) if available.
- If Security Advisories are not available, contact the maintainers via security@example.com with the subject line: "Security Report: ".
- Do not open public issues for vulnerabilities.
Include in your report:
- Affected component(s) and version(s)
- Reproduction steps or proof-of-concept
- Impact assessment and suggested severity
- Any relevant logs (redact secrets)
We will acknowledge receipt within 3 business days and provide regular status updates until resolution.
We will not initiate legal action for good-faith, non-destructive research that respects privacy and does not exploit data.
We prefer coordinated disclosure. After a fix is available, we will publish an advisory and credit reporters (unless you request otherwise).