Margo takes the security of its specification and code seriously. If you think you have found a security vulnerability, please read the next section and follow the instructions to report your finding.

Please DO NOT report any potential security vulnerability via a public channel (GitHub issue etc.). Instead, please report it directly to Margo by emailing [email protected]. Please provide a detailed description of the issue, the steps to reproduce it, the affected versions and, if already available, a proposal for a fix.

You should receive a response within 5 working days. If the issue is confirmed as a vulnerability by us, we will open a Security Advisory on GitHub and give credits for your report if desired. This project follows a 90 day disclosure timeline.