Use this section to tell users about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take the security of our software seriously. If you believe you have found a security vulnerability in our software, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Please follow these guidelines to report a security vulnerability.
To report a security vulnerability, please follow the steps outlined below:
-
Contact: Please do not report security vulnerabilities through public GitHub issues or other public channels.
-
Details: Provide sufficient information to allow us to understand and reproduce the issue:
- Describe the nature of the vulnerability and where it was discovered.
- Detail the potential impact of the vulnerability.
- Provide detailed steps to reproduce the vulnerability, including sample code or a proof of concept if possible.
-
Confidentiality: Keep the information about any vulnerabilities you've discovered confidential between yourself and our project maintainers until a fix has been fully investigated and a release is made available to all users.
-
Avoid Privacy Violations: Do not access or modify other users' data without permission. Do not engage in any activities that may be destructive or disruptive to other users or to the project.
After the initial reply to your vulnerability report, our security team will endeavor to keep you informed of the progress toward a patch and full announcement, and may ask for additional information or guidance.
- Acknowledgment: We aim to acknowledge receipt of your vulnerability report within 48 hours.
- Investigation: A preliminary assessment of the report will be conducted within 72 hours to determine if it warrants further investigation.
- Resolution: Our goal is to address security issues within 90 days of report acceptance, including updating all affected versions and communication to the public. We strive to release updates as quickly as possible, depending on the complexity of the fix and the risks identified.
Public disclosure of a security vulnerability typically occurs after a fix has been developed. We believe that this method provides the fairest balance between public knowledge of a vulnerability and the availability of a fix.
Contributors who report security vulnerabilities responsibly will be publicly acknowledged (if they consent). This recognition is part of our commitment to thank and incentivize researchers who help us ensure the security of our software.
Thank you for helping keep our software and the community safe.