We take security seriously. If you discover a security vulnerability, please report it to us as soon as possible. We appreciate your efforts to responsibly disclose your findings, and we will make every effort to acknowledge your contributions.

This project follows a policy of immediate full disclosure. We believe that full disclosure is the most effective way to ensure that vulnerabilities are fixed quickly and that users are informed of the risks.

When a vulnerability is reported, we will take the following steps:

1. Confirm the vulnerability: We will work to confirm the existence of the vulnerability and determine its impact.
2. Develop a patch: We will develop a patch to fix the vulnerability.
3. Publicly disclose the vulnerability: Once a patch is available, we will publicly disclose the vulnerability, along with the patch and details of the vulnerability. We will do this regardless of whether a CVE has been assigned.

We believe that this approach is in the best interest of our users and the Fediverse as a whole.

We encourage security researchers to work with us to ensure that vulnerabilities are disclosed in a responsible and timely manner.

File a GitHub issue.

If you do not feel comfortable disclosing a vulnerability publicly, or are unsure if it's a real issue, please feel free to email Soatok [email protected] with the details of your suspected vulnerability.