To report a vulnerability, please contact dustin@cs.uchicago.edu, you may use GPG public-key D8097934A92E4B4210368102FF8B7AC6154E3226 which is available here. Initial response is expected within ~48h.
We kindly ask to follow the responsible disclosure model and refrain from sharing information until:
- Vulnerabilities are patched in TaskChampion + 60 days to coordinate with distributions.
- 90 days since the vulnerability is disclosed to us.
We recognise the legitimacy of public interest and accept that security researchers can publish information after 90-days deadline unilaterally.
We will assist with obtaining CVE and acknowledge the vulnerabilites reported.