Please report security issues through the Patchstack Vulnerability Disclosure Program. Patchstack helps with verification, coordinated disclosure, and notifying the maintainers.

We take security reports seriously and appreciate responsible disclosure. We aim to confirm, assess, and address valid reports as quickly as possible.

When a report is received, we use the following process:

• Confirm the issue and determine severity together with Patchstack.
• Notify affected third parties if coordinated mitigation is needed before disclosure.
• Prepare an advisory with details and mitigation guidance.
• Publish a patch release.
• Publish the advisory once fixes are available.

We credit reporters for identifying vulnerabilities unless they request to remain anonymous.