We take the security of this project seriously. We appreciate the efforts of security researchers and community members who help us improve the security posture of our code.
Because this project does not currently follow a formal versioning scheme, any reported vulnerability will be considered applicable to the primary branch (main or master) and any actively deployed instance of the code.
Please do not report security vulnerabilities via public GitHub issues. Instead, please use private communication to report your findings.
To report a security issue, please send an email to:
[email protected].
For us to quickly understand and address your finding, please include the following information in your report:
- A clear and detailed description of the vulnerability.
- The exact steps needed to reproduce the vulnerability.
- The potential impact of the vulnerability.
- Any proof-of-concept code or demonstration if available.
- Details about the environment where the vulnerability was found (e.g., browser, operating system, dependencies).
Once a report is received, we will follow these steps:
- Acknowledge: We will acknowledge receipt of your report within 48 hours.
- Investigate: We will quickly confirm the vulnerability and determine its impact and severity.
- Remediate: We will work to fix the issue in the repository's main branch. Since this project is not versioned, we will immediately apply the fix.
- Inform: Once the fix is deployed, we will inform the reporter of the resolution.
We prefer to work with security researchers under a responsible disclosure model, allowing us time to patch the vulnerability before public disclosure.