As responsible open source project maintainers, we treat vulnerabilities and issues around privacy violations seriously. We're also all volunteers, so we ask for your patience and responsible disclosures.

Vulnerabilities should be reported privately only to [email protected], the organization owner. Please ensure to clearly explain the issue, along with steps to reproduce and the reason(s) why this should be treated as a vulnerability.

As an all-volunteer project, we will acknowledge any valid security vulnerabilities as soon as possible. We also ask that you give us up to 90 days before making any public disclosures.

A great place to learn about responsible security processes is the OWASP Vulnerability Disclosure Cheat Sheet.