We take the security of our project seriously. If you have discovered a vulnerability, we would be extremely grateful for your responsible disclosure.
Please do not create public Issues to report vulnerabilities. Instead, use the communication channels described below.
We actively release security updates only for the versions listed below. Please ensure you are using an up-to-date version before submitting a report.
| Notes | Supported |
|---|---|
| Supported | Yes |
| Unsupported | No |
If you have found a security bug, please submit a report using one of the following methods:
- GitHub Security Advisories (Recommended): Go to the "Security" tab => "Advisories" in our repository and click "Report a vulnerability". This is the most secure way to contact the maintainers.
- Description: A clear description of the vulnerability and its potential impact.
- Steps to Reproduce (PoC): Step-by-step instructions, code snippets, or screenshots so we can reproduce the issue.
- Environment: Project version, OS, and runtime/language version.
Upon receiving your report, we commit to the following process:
- Acknowledge receipt of the report within 48 hours.
- Assess the severity of the vulnerability and provide you with an initial verdict.
- Develop a fix. We aim to resolve the issue as quickly as possible (typically within 7–30 days, depending on complexity).
- Publish a security release and issue a Security Advisory, where we will gladly credit you for the discovery if you wish.
We ask that you do not disclose the vulnerability publicly (on social media, blogs, or public issues) until we have released an official fix.
- At this time, we do not have a monetary bug bounty program, but we will proudly add your name to our Security Contributors list in the project's documentation.
- We deeply appreciate the community's efforts to keep this project safe for everyone.