We take the security of our users and contributors seriously. If you believe you have found a security vulnerability in this project, please report it responsibly.
Security fixes are applied to the latest main branch. We do not provide patches for older tags unless otherwise noted.
- Please report vulnerabilities via GitHub Security Advisories (preferred) or by contacting @alexthemitchell
- Provide a detailed description of the issue, steps to reproduce, affected versions, and any known mitigations.
- Please do not open public issues for security reports.
- Acknowledgment: within 3 business days
- Initial investigation: within 7 business days
- Coordinated disclosure: timeline agreed with the reporter based on severity and fix readiness
- This repository and released artifacts
- Third-party dependencies are out of scope, but we are happy to coordinate with upstream projects when possible.
We support good-faith research and responsible disclosure. We will not pursue legal action against researchers who:
- Make a good faith effort to avoid privacy violations, data destruction, and service interruption
- Only interact with assets in scope
- Provide us reasonable time to remediate before public disclosure
Thank you for helping keep the community safe.