If you think you have identified a security related issue with a repository, please report it immediately to the lead maintainer at security@vality.dev. If you are not sure, don’t worry. Better safe than sorry – just send an email.

Do not open issues related to any security concerns publicly. Please do not include anyone else on the disclosure email. Preferably only one point of contact for replies.

When reporting an issue, include as much information as possible. Just tell us what you found, how to reproduce it, and any concerns you have about it. We will respond as soon as possible and follow up with any missing information.

Once an issue has been confirmed, we will work to resolve it.

If you have a suggestion for a patch; Coordinate with the lead maintainer for when to publicly post an issue and pull request. Giving you credit for your effort.