This document describes how to report security vulnerabilities and how they are handled.
This project is open source and maintained by volunteers. Security handling follows a best-effort model.
Only the latest released version is actively supported, unless stated otherwise.
Older versions may not receive security fixes.
If you believe you have found a security vulnerability, do not disclose it publicly.
Please report it privately using one of the following methods:
- Email: mailto:[email protected]
- GitHub Security Advisory (preferred if available)
Do not open public issues, pull requests, or discussions to report security problems.
To help us evaluate the report, please include at least:
- A clear description of the vulnerability
- At least one affected version that can be reproduced
- If possible, a version range
- Reproduction steps or proof-of-concept
Incomplete reports may be deprioritized.
- This project is maintained without guaranteed compensation.
- There is no obligation to provide immediate responses or guaranteed fixes.
- Most vulnerabilities are addressed because we want the project to be better, not because of contractual duty.
We typically review security reports within 24 hours, but this is not guaranteed.
If you receive no response after 72 hours, you may try another reporting channel or send a reminder.
- Confirmed vulnerabilities may only be disclosed after a fixed version is released.
- Coordinated disclosure is required.
- Maintainers decide if and when disclosure is appropriate.
Good-faith security research is allowed under the following conditions:
- No intentional harm
- No data destruction or data exfiltration
- No service disruption
- No abuse of infrastructure
If our open-source software is deployed on internal or public servers and a vulnerability exists, limited testing is acceptable. Actions commonly understood as malicious or unethical are not permitted.
If you successfully identify and help fix a security issue, you may be credited or invited to become a maintainer.
This is discretionary.
Maintainers have final authority over:
- Vulnerability validation
- Severity assessment
- Fix prioritization
- Disclosure timing