The Privacy Enhancing Technologies (PET) Initiative takes security and privacy seriously. We ask that all users and contributors follow responsible disclosure practices to help us protect our projects and their users.
Currently we provide security updates and maintenance for the versions on the main branch of each repository. Older versions or archived branches may no longer receive updates.
If you discover a vulnerability in a PET Initiative project, please do not create a public issue. Instead, email [email protected] with the following information:
- A description of the vulnerability and its impact.
- Steps to reproduce the issue, including any relevant code or configuration details.
- Your contact information for follow‑up questions.
We will acknowledge your report within 5 business days and work with you to assess the scope, reproduce the issue and develop a fix. Please give us a reasonable amount of time to address the vulnerability before you disclose it publicly. Coordinated disclosure helps protect users while ensuring credit is given to security researchers.
Our projects rely on many external libraries and frameworks. If you believe a vulnerability exists in a third‑party dependency, we encourage you to report it directly to the upstream maintainers. We will track critical upstream issues and update our dependencies as fixes become available.
Once a vulnerability has been addressed and a fix is available, we will publish an advisory in the project’s release notes or security advisories section. We may also provide patches for older versions when feasible. All contributors must refrain from publicly disclosing or discussing the vulnerability until the advisory is published.
For non‑security questions (e.g., general support, bug reports, feature requests), please open an issue in the relevant repository or use the mailing list. Security issues should always be reported via email as described above.