If you discover a security vulnerability in Mercur, please report it privately — do not open a public GitHub issue.
Email: hello@rigbyjs.com
- Description of the vulnerability
- Steps to reproduce (or proof of concept)
- Affected components or modules
- Potential impact and severity estimate
- Suggested fix (if you have one)
We will keep you informed throughout the process and credit you in the release notes (unless you prefer to remain anonymous).
We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who:
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
- Report vulnerabilities privately through the channel above
- Allow reasonable time for a fix before any public disclosure
Security fixes are applied to the latest release. We do not backport fixes to older versions unless the vulnerability is critical and the version is widely deployed.