Please do not file a public GitHub issue for security vulnerabilities.

Report vulnerabilities privately using GitHub's private security advisory feature. Include as much detail as possible:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fix

You can expect an acknowledgement within 3 business days and a resolution or status update within 14 days.

This project is a Lambda runtime layer. Security issues we care about include:

• Vulnerabilities in the bootstrap runtime script (e.g. command injection, privilege escalation)
• Issues in the bundled curl or jq binaries
• Insecure defaults that could affect deployed Lambda functions

If you are unsure whether something qualifies, err on the side of reporting it privately.