Thank you for helping keep this organization safe and trustworthy. We support responsible disclosure and appreciate reports made in good faith.
This policy applies to:
- security issues in our repositories
- dependency vulnerabilities or unsafe configurations
- incorrect handling of tokens, secrets, or CI workflows
The following are not in scope:
- general bugs that do not pose a security risk
- vulnerabilities in third-party tools or libraries
Please report security concerns privately using GitHub's Private Vulnerability Report feature:
- Navigate to the repository where the issue exists.
- Go to Security / Report a vulnerability.
- Submit the details privately.
This ensures the issue is not publicly visible while it is being reviewed.
If the repository does not support this feature, you may also open a confidential GitHub Security Advisory draft.
We aim to:
- acknowledge receipt of your report within 5 business days
- provide an initial assessment within 10 business days
- prepare fixes or further investigation as appropriate
When possible, we will credit reporters for responsible disclosure.
We welcome good-faith security research. If you follow this policy and do not intentionally cause harm, we are unlikely to pursue legal action.
Thank you for supporting the integrity of our projects.