Vulnerabilities can be reported via email. Please do not use the public issue tracker on Github.

The Theia Cloud security mailing list address is security@theia-cloud.io.
This address should be used only for reporting undisclosed vulnerabilities; regular issue reports and questions unrelated to vulnerabilities in Theia Cloud will be ignored.

We will respond to your report usually within one business day and keep you informed about the progress.

Disclosure is initially limited to the reporter and the Theia Cloud security team and may be extended to include other Theia Cloud committers and other individuals.
Full disclosure to the general public happens once there is a patch, fix, or workaround available. Regardless of this, the vulnerability will be disclosed after a maximum of three months.

Non-committers will be acknowledged for their security research on disclosure if the issue has been reported responsibly.

Publicly disclosed issues are tagged with the security label.