Security related bugs need a special handling because we need to synchronize releasing the security fix for all supported products (openSUSE Leap, openSUSE Tumbleweed, SUSE Linux Enterprise) and make sure that the fix is available for all affected users at the time of publishing the security vulnerability.

Thank you for your cooperation! 👍

For reporting security related issues use the Security component in the SUSE Bugzilla, just follow this link.

⚠️ Please DO NOT use any publicly visible places like mailing lists or GitHub issues for reporting or discussing any security related issues!

The security bugs in Bugzilla are only visible for the reporter and the security team. When the security team confirms the issue they will make it visible for the YaST developers.

A similar rule applies to sending or proposing security related fixes: report a security bug in Bugzilla and attach the proposed patch there.

⚠️ Please DO NOT open pull requests with security fixes at GitHub! You should also avoid committing the fix to your fork or anywhere where it can be seen by public.