Please do not report security vulnerabilities through public GitHub issues, discussions, or other public channels.
Instead, please disclose them responsibly by contacting our security team at:
📧 [email protected]
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fixes or mitigations (if known)
- Acknowledgement within 48 hours
- Initial assessment within 5 business days
- Regular updates on remediation progress
- Public disclosure timeline coordinated with reporter
Critical security patches are released as soon as they're available. All security-related updates will be marked with [SECURITY] in release notes.
While we don't currently have a formal bug bounty program, we gratefully acknowledge responsible disclosures by:
- Listing contributors in our Security Hall of Fame
- Providing written recommendations (upon request)
- Public thank-you in release notes (with permission)
Note: This policy may be updated periodically. Last revised: {05 2025}