Do not open public issues for security vulnerabilities.
Use GitHub's private vulnerability reporting to submit your report. This keeps the details confidential until a fix is available.
When reporting, include:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept
- Affected versions or components, if known
Only the latest release on the main branch receives security updates. Older releases are not patched.
| Branch | Supported |
|---|---|
main (latest) |
Yes |
| Older releases | No |
- Acknowledgment within 48 hours of your report.
- Status update within 7 days with an initial assessment and remediation timeline.
- Credit in the release notes, unless you prefer to remain anonymous.
We coordinate disclosure with reporters. We will not pursue legal action against researchers who report in good faith through this process.