Please file a private vulnerability report via GitHub, email @ljharb, or see https://tidelift.com/security if you have a potential security vulnerability to report.

If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at [email protected].

If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.

There are three “tiers”: passing, silver, and gold.

We meet 100% of the “passing” criteria.

We meet 100% of the “silver” criteria.

We meet 78% of the “gold” criteria. The gaps are as follows:

• because we only have one maintainer, the project has no way to continue if that maintainer stops being active.
• We do not include a copyright or license statement in each source file. Efforts are underway to change this archaic practice into a suggestion instead of a hard requirement.

See THREAT_MODEL.md.

Please see our Incident Response Plan.