Security is a serious matter for us. We want to ensure and maintain a secure environment for our customers and the open-source community.

We are eager to work with the community to resolve security vulnerabilities within our tech stack in a timely manner and to properly acknowledge the contributor(s). Please do not publicly disclose a vulnerability until we have an opportunity to review and address the issue. Follow these steps to report a vulneratbility:

1. Open a security advisory, which is visible to project maintainers only. Please do not submit a normal issue or pull request in our public repositories.
2. We will confirm the receipt of the report within two business days. (It make take additional time time to resolve the issue.)
3. If you already have a patch, we will review it and approve it privately; once merged it will be publicly disclosed. We will acknowledge you in our changelog.
4. In case we need additional information during the investigation, we will be actively reaching out.

Please do not publicly mention the security issue until after we have updated the public repository so that other downstream users have an opportunity to patch their software.

If you have any questions, please contact us directly at security@tenzir.com.