Do not open public GitHub issues for security problems.
Use GitHub private vulnerability reporting from the repository security page:
- open the repository
Security and qualitypage - click
Report a vulnerability
If the label changes, use the repository security page and choose the private vulnerability reporting option.
Include:
- affected version or commit
- impacted component
- clear reproduction steps
- expected impact
- any mitigation you already tested
Redact private keys, tokens, server IPs, domains, and personal data from all reports.
Security fixes are expected on:
- the latest tagged release
main, if the fix has not yet been released
Older versions may receive guidance only.