Security vulnerabilities can be reported privately using the Report a Vulnerability button under the Security tab of this GitHub repository. Full instructions can be found here.

If you would like to report a vulnerability publicly, you can create a regular GitHub issue describing it under the Issues tab.

If you have any questions or the reporting button is not working, please email the maintainer.

We strive to provide responses and updates as quickly as we are able.

You can expect a response in 24-48 hours from submission and regular updates after that by the end of each week. Disclosures can be expected within 60 days.

When reporting, please include as much of the following details as possible:

• Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue