If you discover a security vulnerability in our project, I appreciate your help in disclosing it to us responsibly. To report a vulnerability, please follow these steps:
- Do not create a public GitHub issue for the vulnerability.
- Contact me on discord @emmakasaki with the subject line: "Security Vulnerability Report".
- Provide detailed information about the vulnerability, including steps to reproduce and any potential impact.
- Our security team will acknowledge your report within 48 hours and work with you to validate and address the issue.
- Once the vulnerability is resolved, I will publicly acknowledge your contribution (if desired) and release a security advisory.
This security policy applies to all versions of our project.
I will accept vulnerability reports for the latest stable release and the previous major version.
- I aim to respond to vulnerability reports within 48 hours.
- I will work with you to address the issue and provide regular updates on the progress.
- Once the vulnerability is resolved, I will coordinate the release of a security advisory.
I consider security research activities conducted in a responsible manner as "authorized" and will not initiate legal action against you if you:
- Comply with our vulnerability disclosure policy.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
- Do not publicly disclose the vulnerability without our prior consent.