For security issues, please report privately by opening a GitHub issue on the project with the label security (or describing it as a security report in the issue title).
Where to report:
When reporting, please include:
- A clear description of the vulnerability
- Steps to reproduce (if applicable)
- Expected vs actual behavior
- Impact (e.g., data exposure, privilege escalation, remote code execution)
- Affected versions (if known)
- We will acknowledge receipt of your report as soon as possible (typically within 2–3 business days).
- We will provide a response on whether the report is accepted and what the remediation plan/timeline looks like.
- If accepted, we’ll work to release a fix in a subsequent release for the supported versions listed above.
- Do not publish exploit details publicly until a fix is released (or we confirm the issue is non-actionable).
- Do not attempt to cause real-world damage.
- Avoid including sensitive personal data or credentials in the report.
If GitHub issues are not appropriate, add a note in your report explaining why and include as much of the above information as possible.