Do not open public GitHub issues for suspected security vulnerabilities.
Reporting a vulnerability
Report privately to project maintainers through the repository’s private security contact channel (GitHub Security Advisories or maintainer email). Include:
- description of the issue
- steps to reproduce
- affected version/commit
- potential impact
- suggested mitigation (if known)
Response process
Maintainers will:
- acknowledge receipt
- investigate and assess severity
- prepare and validate a fix
- coordinate disclosure timing
Disclosure
We prefer coordinated disclosure after a fix is available.
Security best practices for contributors
- avoid committing secrets/credentials
- validate and sanitize external inputs
- add tests for security-sensitive changes
- keep dependencies up to date
