Please follow this guidance when reporting security issues affecting:
- Shields.io
- Raster.shields.io
- Self-hosted Shields instances
- The squint raster proxy
- The badge-maker NPM package
The gh-badges and svg-to-image-proxy NPM packages are now deprecated and will no longer receive fixes for bugs or security issues.
If you find a security vulnerability affecting any of our supported projects, please email security@shields.io, rather than opening a public issue on GitHub. After receiving the initial report, we will endeavor to keep you informed of the progress towards a fix and full announcement. We may ask you for additional information. You are also welcome to propose a patch or solution.
Report security bugs in third-party modules to the person or team maintaining the module.
We aim to patch confirmed vulnerabilities within 90 days or less, disclosing the details of those vulnerabilities when a patch is published. We ask that you refrain from sharing your report with others while we work on our patch.
We may want to coordinate an advisory with you to be published simultaneously with the patch, but you are also welcome to self-disclose after 90 days if you prefer. We will never publish information about you or our communications with you without your permission.