Our community takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

To report a security issue, please use the GitHub Security Advisory menu of the affected project (Security > Advisories > New draft security advisory). Our staff will send a response indicating the next steps in handling your report.

After the initial reply to your report, the security team will keep you informed of the progress towards a fix, and may ask for additional information or guidance.

Please report security bugs in third-party packages to the respective package maintainers. Vulnerabilities relating to npmjs.com or the npm CLI should be submitted to the GitHub Bug Bounty program.