We encourage responsible disclosure practices for security vulnerabilities.

If you believe you've found a security-related bug, fill out a new vulnerability report via GitHub directly. To do so, follow these instructions:

1. Click on the Security tab in the project repository.
2. Click the green Report a vulnerability button at the top right corner.
3. Fill in the form as accurately as you can, including as many details as possible.
4. Click the green Submit report button at the bottom.

Alternatively, drop an email to the maintainer's tox-plugins security mailbox instead of filing a ticket or posting to any public groups. Reports will be triaged in a timely manner and disclosed in a responsible way.

• Threat model -- the asset inventory, trust boundaries and mitigations the maintainer has assessed.
• Incident response playbook -- how the maintainer triages, fixes and discloses confirmed vulnerabilities.