中文 | English
Please do not file public GitHub issues for undisclosed security vulnerabilities (they would notify everyone before a fix is ready).
If the repository has Private vulnerability reporting enabled, use Security → Report a vulnerability on the GitHub repo page.
If you cannot use private reporting, contact the maintainers through a non-public channel they have published (e.g. email on profile or an agreed contact). Do not put exploit details in public issues or social posts.
- Affected component (app, native, proot, wayland, etc.) and version / commit if known.
- Steps to reproduce or a clear description of the impact.
- Whether you plan to coordinate disclosure after a fix.
This policy covers this repository and shipped artifacts. Issues in upstream projects (Termux proot, KDE, Firefox, etc.) should be reported to those projects according to their policies; we can still fix our integration if needed.
Maintainers will aim to acknowledge serious reports in a reasonable time; timing depends on availability. Thank you for helping keep users safe.