See also code conventions; there are a few guidelines about security of added code there.

Security issues may be reported to core team members privately e.g. on Discord. Note that this applies only to security issues; everything else should still be posted to issue tracker.

Publicly posting security issues is also allowed, because not everyone has or wants a Discord account. We may add other channels for private reports in future.

Everyone with push access must use two-factor authentication for their GitHub accounts. Should their account still be compromised, other team members should be immediately notified.