Our core team will try their best to fix any valid vulnerability that is reported to them.

You can privately report a vulnerability to the OpenRefine team by creating a security advisory on GitHub. This report will be kept private while it is being assessed by the team.

Keep in mind that OpenRefine is designed to run locally on a user's PC, while also making network calls across the internet only upon a user's choice or command. As such, certain vulnerabilities might not apply to OpenRefine's design. In doubt, please submit a report anyway.