I take security and privacy issues with my software seriously. I appreciate any and all reports of security issues, and offer two primary ways to report an issue:
- Report a Vulnerability via Github
- Send me an OpenPGP-encrypted email. You can download my public key here
Both methods will end up in the same place; please use whichever you feel most comfortable with.
If you aren't sure if an issue you've identified is a "security issue", please err on the side of reporting! I'd rather have a conversation about why I don't consider something to be a vulnerability than miss out on the opportunity to improve my software.
I will make every effort to respond to vulnerability reports within 72 hours, but may need more time to analyze a complicated issue. Time to deliver a fix will depend on:
- bug/fix complexity
- bug severity
and will have to be determined on a case-by-case basis.
Please note: I cannot offer a bug bounty or any other consideration for vulnerability reports at this time. I will credit your contribution in release notes and any CVEs, at your discretion.