Keeping users safe and secure is a top priority. We welcome the contribution of external security researchers.
If you believe you’ve found a security issue in any software, service, or website governed by this repository, we encourage you to notify us.
Projects sometimes do unsafe things by design (such as a plugin that executes arbitrary code or an option that is dangerous). This unsafe behavior should be explicitly documented and, if it is, is not considered a security issue.
There are no hard and fast rules to determine if a bug is worth reporting as a security issue or a “regular” issue. When in doubt, please do send us a report.
Security issues can be reported by sending an email to security@.com, which will go to all team members. The team will acknowledge your email within 48 hours. You will receive a more detailed response within 96 hours.
We will create a maintainer security advisory on GitHub to discuss internally, and when needed, invite you to the advisory.
- Please provide detailed reports with reproducible steps and a clearly defined impact
- Submit one vulnerability per report
- Social engineering (such as phishing, vishing, smishing) is prohibited