Here are some security-related information for Libravatar.org and the Libravatar protocol.
There are two ways to report security bugs in the Libravatar service:
- File a bug on the tracker with a "Private Security" visibility.
- Email Francois Marier at
security@libravatar.org
For bugs in the Libravatar federated protocol itself, please email security@libravatar.org.
If you find a bug in a third-party library,
please email its author directly, but feel free to CC security@libravatar.org.
If you email security@libravatar.org, we will do our best to acknowledge your
email within 48 hours. If you haven't heard from us, please try again or ping
us through another channel.
It is of course up to you whether or not you publicize the security vulnerability you have discovered, but we do ask that you please give us a bit of time to deploy a fix before you discuss your findings publicly.