We take the security of our software libraries seriously, which includes all source code repositories managed through our GitHub organization.
If you believe you have found a security vulnerability, please report it to us as described below.
Please note that as a non-commercial, Open Source project we are not able to pay bounties at the moment.
Important
Please do not report security vulnerabilities through public GitHub issues.
Instead, please click "Report a vulnerability" button to open an advisory on GitHub, or send an email to [email protected].
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue.
- Type of issue.
- Full paths of related source files.
- Location of the affected source code (repo, branch or commit).
- Any special configuration required to reproduce the issue.
- Step-by-step instructions to reproduce the issue.
- Impact of the issue, including how an attacker might exploit it.
- Proof-of-concept or exploit code (if possible).
This information will help us triage your report more quickly.
-
- 🛎️ We will acknowledge your report as soon as possible.
-
- 🕵️ We will research and update the issue with relevant information.
-
- 🐛 Once the vulnerability can be confirmed, we will take immediate action.
- 🗑️ Otherwise, we will close the security advisory and no further action will be taken.
-
- 🚧 We will work on a fix privately.
- 🤫 In the meantime, please keep the issue confidential.
-
- 📦 We will release new versions of all affected libraries.
-
- 📢 Finally, we will publish the security advisory, disclosing the vulnerability and the possible exploits.
Thanks for helping make our software safe for everyone!