security policy
thank you for taking the time to report a security issue. this page explains how to report vulnerabilities privately and what to expect.
- reporting
- preferred: use GitHub Security Advisories for this repository so reports stay private until fixed.
- if you cannot use the security advisory flow, contact a repo maintainer directly (do not post exploit details publicly).
- what to include
- short summary and impact (what an attacker can do)
- steps to reproduce (minimal, precise)
- proof-of-concept (if available) — include only what's needed to reproduce
- affected versions and environment
- suggested mitigation if you have one
- timeline & coordination
- we follow coordinated disclosure: we will acknowledge receipt within 3 business days and aim to triage/fix within a reasonable timeframe.
- we typically request up to 90 days to fix before public disclosure, but we will coordinate timing with you.
- handling sensitive data
- do not share private keys, passwords, or user data when reporting. if you need to share sensitive artifacts, ask for a secure channel.
- acknowledgement
- if you want credit we can add you to a CONTRIBUTORS / SECURITY_ACKS file — tell us how you want to be credited.
- after disclosure
- once a fix is available we will publish a CVE or advisory (if applicable) and post remediation steps.
thank you
- maintainers