Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include Microsoft, Azure, DotNet, AspNet, Xamarin, and our GitHub organizations.

Microsoft serves as the primary maintainer of this repository. If you believe you have found a security vulnerability that meets Microsoft's definition of a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Security issues and bugs should be reported privately to the Microsoft Security Response Center (MSRC), via the MSRC Researcher Portal.

You should receive a response within 24 hours. If for some reason you do not, please follow up via the MSRC Researcher Portal, using the Message functionality found at the bottom of the Activity tab on your vulnerability report.

Further information can be found in the MSRC Report an issue and submission guidelines.

Reports via MSRC may qualify for the Microsoft Open Source Bug Bounty. Details of the Microsoft Open Source Bug Bounty Program including terms and conditions are at https://aka.ms/corebounty.

We prefer all communications to be in English.

Microsoft follows the principle of Coordinated Vulnerability Disclosure.