We're not Google. We're not wealthy and we cannot pay any bounties. Lots of people use this software. By reporting a vulnerability, you are helping all of those people and are helping to make the world a better place. Please accept our gratitude for reporting any volunerabilities.

The current code base.

If you find a vulnerability, please report it to Hacker Factor: https://hackerfactor.com/about.php Email should be fine. You should expect a reply within 48 hours (and often much faster).

NOTE: My email server requires your sending mail system to have a proper reverse hostname and SPF record. (If you can email someone at Google, then you can email me. We have the same email sending requirements.) If you don't receive some kind of response within 48 hours, then try one of the other contact ways to reach me. (Maybe your email triggered a spam filter rule. Don't give up just because one email didn't work.)

If you believe that the information is too sensitive for email, then contact me first (without details) and I can setup a dropbox where you can securely upload the details.

Please provide as much detail as possible for us to replicate, identify, and fix the vulnerability. When we know what the vulnerability is, we can coordinate a release plan and statement about the problem. Unforuntately, we cannot determine how long it will take to fix the issue until we know what the issue is and can replicate it. Given the lack of complexity in this code, I seriously doubt that a fix will take more than a few days.