Please email gavindouch@gmail.com to report vulnerabilities.

Even when unsure whether the bug in question is an exploitable vulnerability, it is recommended to send the report to gavindouch@gmail.com (and obviously not to discuss the issue anywhere else).

Vulnerabilities are expected to be discussed only in that email thread, and not in public, until the patch is released.

Examples for details to include:

• A description of the vulnerability
• Ideally a script (or a description) to demonstrate an exploit.
• The affected platforms and scenarios (the vulnerability might only affect setups with case-sensitive file systems, for example).
• The name and affiliation of the security researchers who are involved in the discovery, if any.
• Whether the vulnerability has already been disclosed.
• How long an embargo would be required to be safe.

Discovered vulnerabilities will be acknowledged in this repo once they are patched, along with credit to their discoverer(s).