If you find a security vulnerability, report it to us by clicking Report a vulnerability.

We will review the report promptly (within one week but usually much faster). If we are able to confirm the issue, we will publish a GitHub Security Advisory and associated CVE for the vulnerability along with the fix.

We understand that security research is time consuming and appreciate vulnerability submissions from the community but we are unable to pay out bounties for submitted vulnerabilities at this time.