Do not open a public GitHub issue for security vulnerabilities.
Report vulnerabilities privately via GitHub Security Advisories. This keeps the disclosure confidential until a fix is available.
Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce
- Any suggested fixes or mitigations
| Severity | Initial Response | Target Fix |
|---|---|---|
| Critical | 24 hours | 7 days |
| High | 48 hours | 14 days |
| Medium | 5 days | 30 days |
| Low | 10 days | Next release |
Only the latest version on main receives security fixes.
Once a fix is merged and released, a security advisory will be published crediting the reporter (unless they prefer to remain anonymous).