Please report security vulnerabilities using GitHub integrated security reporting

Do not open issues on GitHub with security-sensitive content, as that would make the report public.

We will acknowledge your report within 48 hours during the work week, and provide an estimated timeline for a fix and release if we can.

We will publicly disclose vulnerabilities after a fix has been released and users have had sufficient time to update.

This is where we will acknowledge researchers who have responsibly disclosed actual vulnerabilities, once fixed.