I take the security of my projects seriously. If you discover a security vulnerability, please follow these steps:
- Do not open a public issue
- Do not disclose the vulnerability publicly before it has been addressed
- Do not exploit the vulnerability beyond what is necessary to demonstrate the issue
-
Report privately: Send details to me through one of these methods:
- Use GitHub's private vulnerability reporting feature (if available)
- Use the contact information at https://what.lol/contact
-
Include details: Provide as much information as possible:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if you have one)
- Your GitHub username (for attribution)
-
Wait for response: I will acknowledge your report within 72 hours and provide an estimated timeline for a fix.
When you report a vulnerability, I commit to:
- Acknowledge receipt within 72 hours
- Investigate and validate the issue promptly
- Keep you informed about my progress
- Credit you for the discovery (unless you prefer to remain anonymous)
- Release a fix as soon as possible
- Publish a security advisory after the fix is released
Security updates will be applied to:
- The latest major version
- The previous major version (for critical vulnerabilities)
Older versions may receive updates on a case-by-case basis.
When contributing to my projects:
- Never commit secrets, tokens, or passwords
- Use environment variables for sensitive configuration
- Keep dependencies up to date
- Follow secure coding practices
- Review code for security implications before submitting
I appreciate security researchers who help keep my and other projects safe. Contributors who report valid security issues will be acknowledged in our security advisories and release notes (unless they prefer to remain anonymous).
For any security-related questions or concerns, please reach out through:
- GitHub Security Advisories (preferred)
- Direct contact: https://what.lol/contact
Thank you for helping keep our community safe!