If you believe you've found a security vulnerability in WatermelonDB, let us know right away.
More details on how to responsibly disclose issues: https://nozbe.com/bug-bounty/
If vulnerabilities are found, we'll post security advisories via GitHub once a confirmed patch is available.
We may choose to send a heads-up to a select list of higher-profile projects/organizations to alert them about a vulnerability before the public. Inclusion into this list is entirely at our own discretion. If we do send a heads-up before a public patch, we'll include the least amount of detail possible - only enough to work around an issue.
If we determine that it's in the best interest of all WatermelonDB users, we may choose to advise users to update to a new version of WatermelonDB or apply a workaround without revealing all details about the vulnerability. This may happen if we believe there's a very serious issue that's easy to patch but difficult to discover. If we do so, we will post a detailed explanation after a few weeks.