If you discover a security vulnerability within this project, we appreciate your effort in helping us keep it secure by reporting it responsibly.
Please do not create a public GitHub issue for security-related matters.
Instead, contact the project leaders directly at:
📧 anurag.mishra@owasp.org, ravi.mishra@owasp.org
When reporting, please include:
- A clear description of the vulnerability and its potential impact.
- Steps to reproduce or proof-of-concept (if applicable).
- Any relevant screenshots, logs, or configuration details.
- Suggested fix or mitigation ideas (optional).
Once a vulnerability report is received:
- Project leaders will acknowledge receipt within 5 business days.
- The issue will be reviewed and validated.
- A fix will be developed, tested, and included in a future release.
- A public disclosure will be made once the issue is resolved and verified.
We may credit researchers who responsibly report valid vulnerabilities, unless anonymity is requested.
This policy applies to:
- The code and documentation in this repository.
- Any official deployments, demos, or hosted instances maintained by the project team.
It does not cover:
- Third-party dependencies or libraries used by the project.
- Non-official forks or unrelated OWASP repositories.
We kindly request that you:
- Allow reasonable time for us to investigate and fix issues before making them public.
- Avoid activities that could harm users or services.
- Communicate in good faith and maintain confidentiality during the resolution process.
Thank you for helping us strengthen the security of this OWASP project and the open-source ecosystem!