Use this template when filing a private report via:
Security->Report a vulnerability- Draft repository security advisory
Copy/paste the sections below into the private report.
- Short title:
- Vulnerability class (for example: RCE, auth bypass, privilege escalation, SSRF, path traversal, secret exposure):
- Affected component(s):
- Suspected severity (S0 / S1 / S2 / S3):
Severity reference:
- Use
SECURITY.md->Severity Levels and SLA Matrixfor assignment guidance.
- Affected versions:
- Last known unaffected version:
- Deployment/runtime prerequisites:
- Feature flags or configuration conditions required:
- Environment:
- OS:
- Runtime/toolchain versions:
- Config relevant to reproduction:
- Step-by-step reproduction: 1. 2. 3.
- Proof of concept payload/commands (safe/minimized):
- Expected behavior:
- Actual behavior:
- Impact on confidentiality:
- Impact on integrity:
- Impact on availability:
- Attack complexity and required privileges:
- Remote/local reachability:
- Estimated blast radius:
Optional CVSS estimate (if known):
- CVSS vector:
- CVSS score:
- Immediate mitigations/workarounds:
- Suggested patch direction:
- Backward compatibility concerns:
- Is coordinated disclosure requested? (yes/no)
- Earliest preferred disclosure date (if any):
- Credit preference/attribution:
- Contact channel for follow-up:
- Logs (redacted):
- Stack traces (redacted):
- Screenshots/videos (if applicable):
- Patch/commit references (if already available):
- I did not open a public issue for this unpatched vulnerability.
- I redacted secrets, tokens, and personal data.
- I provided reproducible steps and impact details.
- I included affected version/scope information.
Before submission, remove or replace:
- API keys, tokens, credentials
- Internal hostnames, IPs, and private URLs
- User-identifying personal data
- Any exploit details that are unnecessary for maintainers to reproduce