We take the security of our projects seriously and appreciate responsible disclosure.
Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions — that would expose the issue to everyone before it can be fixed.
Instead, report it privately:
- Preferred: use GitHub's "Report a vulnerability" button under the repository's Security tab (Security → Advisories). This opens a private channel with the maintainers.
- If private reporting is not available on a given repository, contact the maintainers privately (for example via the contact listed in that repository's
README) rather than opening a public issue.
When reporting, please include as much of the following as you can:
- A description of the vulnerability and its potential impact.
- Steps to reproduce, or a proof of concept.
- The affected repository, version/commit, and environment.
- Any suggested mitigation, if you have one.
- We will acknowledge your report as soon as we reasonably can.
- We will investigate, keep you informed of progress, and let you know once a fix is available.
- We ask that you give us a reasonable opportunity to address the issue before any public disclosure.
Thank you for helping keep these projects and their users safe.