If you discover a security vulnerability in any of our SDKs, tools, services, or repositories, please help us keep the community safe by reporting it responsibly.

Please avoid disclosing the issue publicly until we have had a reasonable amount of time to investigate and release a patch or mitigation. We review all legitimate reports and will work with you to resolve the issue as quickly as possible.

We strongly encourage security vulnerabilities to be reported privately through GitHub Security Advisories:

https://github.com/AvaloniaUI/Avalonia/security

To submit a report, visit the security page and click "Report a vulnerability". GitHub will create a private security advisory that allows you and the Avalonia team to collaborate confidentially on the issue until a fix is available.

If you are unfamiliar with GitHub's private vulnerability reporting process, GitHub provides detailed instructions here:

https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/privately-reporting-a-security-vulnerability

Alternatively, you may report security vulnerabilities by emailing security@avaloniaui.net.

Please note that Avalonia does not operate a bug bounty programme.