The vacs project team and contributors take security bugs in vacs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions as well as resolving any findings in a timely manner..

To report a security issue, please use the GitHub Security Advisory "Report a Vulnerability" tab.

We will send a response indicating the next steps in handling your report. After the initial reply to your report, we will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Report security bugs in third-party modules to the person or team maintaining the module. You can also report a vulnerability through the crates.io registry (directly on the crate's page via the "Report crate" button and selecting "it contains a vulnerability") or the npm contact form by selecting "I'm reporting a security vulnerability".

If you do not receive an acknowledgement of your report within a reasonable timeframe (keep in mind this is a private project, so please give us at least 7 business days of response time), you can escalate the issue by messaging the project maintainers directly via the contact methods available on their public GitHub profiles.

You may also send an email to our security email address at security@vacs.network. The corresponding OpenPGP key is available at https://vacs.network/pgp-key.txt and has the following fingerprint:

2627 292B 3D6E 8ADB 5D1F 3A98 4C5A 94B4 64A9 D4C8

You can find additional details in our security.txt file.

Additionally, you may message MorpheusXAUT privately on Discord (Discord ID morpheusxaut).