GitHub takes the security of our software products and services seriously, including the open source code repositories managed through our GitHub organizations, such as GitHub.
If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways.
If the vulnerability you have found is not in scope for the GitHub Bug Bounty Program or if you do not wish to be considered for a bounty reward, please report the issue to us directly through opensource-security@github.com.
If the vulnerability you have found is in scope for the GitHub Bug Bounty Program and you would like for your finding to be considered for a bounty reward, please submit the vulnerability to us through HackerOne in order to be eligible to receive a bounty award.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Thanks for helping make GitHub safe for everyone.