The ShadowHook team and community take security bugs in ShadowHook seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

Please do not report security vulnerabilities through GitHub issues, discussions or pull requests. This makes the problem immediately visible to everyone, including malicious actors.

Instead, please send email to caikelun@bytedance.com. If possible, encrypt your message with this PGP key.

The ShadowHook team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.