Please do not write to us publicly (such as a forum) or in a GitHub issue. A public report can give attackers valuable time to exploit the issue before it is fixed. By letting us know directly and coordinating the disclosure with us, you can help to protect other users from such attacks.

If you have spotted a vulnerability in one of our repositories, please let us know immediately. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

You can always contact us directly at security@locomotive.ca.

You can also use the security advisory form on GitHub to securely and privately report a vulnerability to us.

We will send you a response as soon as possible and will keep you informed on our progress towards a fix and announcement.

Security backports are provided for some previous release series.

This Security Policy is adapted from Kirby's Security Policy, version 2023-11-25.