We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:

If you discover a security vulnerability within this project, please send an email to the project maintainers. All security vulnerabilities will be promptly addressed.

Please do not report security vulnerabilities through public GitHub issues.

When reporting a vulnerability, please include:

• The type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

We kindly ask that you:

• Allow us a reasonable amount of time to fix the issue before public disclosure
• Make a good faith effort to avoid privacy violations, data destruction, and service disruption
• Do not access or modify other users' data
• Do not perform actions that could negatively affect Salesforce users or services

• Acknowledgment of your report within 48 hours
• Regular updates on our progress
• Credit in the release notes (if desired) when the vulnerability is fixed

Thank you for helping keep this project and its users safe!