Security Vulnerability Disclosure - Request for Contact Information

[researchatfluidattacks]

Security Contact Request

Our security research team has found a potential vulnerability in your software that we would like to report through a responsible disclosure process.

We were unable to locate a dedicated security contact, security policy, or SECURITY.md file for your project. We also sent an email to security@slab.com, but did not receive a reply.

Additional context

• Security vulnerability details will be shared privately once contact is established.
• Our responsible disclosure policy typically requires public disclosure after a set period without vendor response.
• To ensure this finding reaches the appropriate team members, could you please:
  • Provide a security contact email address where we can send the vulnerability details, or
  • Consider creating a SECURITY.md file in your repository with disclosure guidelines and contact information

You can reach our security research team at research@fluidattacks.com
We're trying to work with you on this and would prefer coordinated disclosure over public disclosure.

[KivaBall]

Hey guys 🙃

1. Has contact already been established with Fluid Attacks?
2. Any rough ETA on a fix?

Right now we can’t ship Quill to production because npm audit flags this as a security issue (CVE-2025-15056), so just trying to understand the timeline. Thanks!