If you discover a security vulnerability in PHL, please help us by reporting it responsibly.
Do not report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing the maintainers at:
Include the following information in your report:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact and severity
- Any suggested fixes or mitigations
- Acknowledgment: We will acknowledge receipt of your report within a working week
- Investigation: We will investigate the issue and determine its validity
- Updates: We will provide regular updates on our progress (at least weekly)
- Resolution: Once resolved, we will:
- Create a fix
- Publicly disclose the vulnerability after giving users time to update
- We follow responsible disclosure practices
- We will not publicly disclose vulnerabilities until a fix is available
- We will credit reporters (with permission) in security advisories
- We aim to resolve critical security issues within 90 days
We appreciate security researchers helping keep PHL safe. As long as you follow this policy and act in good faith, we will not take legal action against you for security research activities.
For security-related questions or concerns, contact the maintainers through the email address above.