Any non-deprecated version labelled on npm is supported for vulnerability reports.
Security vulnerability must not be made in public. Instead, they must be privately reported to one of the repository maintainers:
Your report will be reviewed within 7 days via a follow-up email to the reply-to field on your original email.
If a reply-to field is not present, we will follow-up to the email address you used to send the email.
It is advised to provide a backup email address if you cannot access your primary email address. It is also advisable to include your GitHub username if all other methods fail.
If we follow up to your report and you do not reply within 14 days, your report will automatically be discarded. You will receive a notification about this and you will need to create another report if you wish to continue.
⚠ Warning
For security reasons, we do not accept email address domains that has one of the following TLDs (top level domains):
- .tk
- .ml
- .ga
- .cf
- .gq
All valid vulnerability types are currently supported.
As a reward, your GitHub username will be featured on our README if you agree to it.
We are currently unable to financially reward you for vulnerability reports for the time being.