I take the security of my software and services seriously. This includes all open source software I create, maintain or help to maintain.
If you believe you have found a security vulnerability in any repository I maintain, including this one, please report it responsible to me as described below.
Please DO NOT report security vulnerabilities publicly!
So... DO NOT create a GitHub issue for it ;)
Privately and confidently, send me a detailed description of the vulnerability you have discovered using an encrypted and authenticated channel. Personally, I prefer this to be done using PGP encrypted email. Contact information needed for this is listed down below.
In the report, please include as much information as possible, including:
- A extensive description of the vulnerability.
- How it could be exploited.
- The potential impact you think it would have (e.g., DOS attackable, privacy concerns, leaking of credentials).
- Steps for reproducing the vulnerability.
- Code (if any), that is needed for reproducing the issue.
- If you have an idea for a fix, patch or any other adjustment for mitigating the vulnerability reported.
Sorry for the long list, but providing as much information as possible allows me to act more quickly. Make sure to write your report in the English language.
Please take care not to violate the privacy of other people in your report. For example, stack traces or exploit scripts sent to me should never contain private or personally identifiable information.
Give me at least a week to investigate and respond to the reported vulnerability you have found; and up to 60 days to fix and distribute it. This includes a window for existing users to upgrade, patch or mitigate the issue as well.
If you intent, at any point, to disclose the vulnerability to someone else or maybe even publicly, please give me a reasonable advanced notice.
If any dependent projects are involved, I will take care of informing the maintainers of those projects as well.
Unfortunately, I cannot offer a paid bug bounty program. I will, however, give my best efforts to show appreciation towards people that took the time and effort to disclose vulnerabilities responsibly.
Me, and the open source community, will be forever grateful.