We take security very seriously. We ask everyone follows the
coordinated vulnerability disclosure model, rather
than immediately making vulnerabilities public.
If you believe you have discovered a vulnerability please privately contact one of the maintainers via the contact methods on their GitHub profile. In the future we will publish an official email for this purpose.
Users who report bugs will at the discretion of the user be credited for the discovery.
- User privately reports a potential vulnerability.
- The maintainers review the report and ascertain if additional information is required.
- The maintainers reproduce the bug.
- The bug is patched, and if possible the user reporting the bug is given access to a fixed version or git patch.
- The fix is confirmed to resolve the vulnerability.
- The fix is released.
- The security advisory is published sometime after users have had a chance to update.