Per coördinated vulnerability disclosure:
-
A security vulnerability should be publicized for awareness, yes, but only after the contributors have released patches. This way, the contributors get a headstart rather than malicious abusers.
- Reporters should not file security vulnerabilities as Issues or send their patches via Pull Requests, as these listings are publicly visible for public repositories. Instead, contact the maintainer(s) privately, such as via e-mail or Discord.
-
To minimize the time users (and developers too) are left unaware of the penetration attempts in the wild, the maintainer(s) should publish fixes for loopholes as new versions as soon as possible (ASAP), for every maintained major/minor versions and ahead of a regular milestone.