Previous: Contributing · Next: Code of Conduct · Back to README
Security and safety corrections are applied to the default branch. Historical tags and forks are not supported unless a release note says otherwise.
Use GitHub's Report a vulnerability function in the repository Security tab. If private vulnerability reporting is unavailable, open a public issue containing only a request for a private contact channel. Do not include the vulnerability, exploit, credentials, personal data, or affected source in that issue.
- affected file, workflow, or documented process;
- impact on users, sources, or evidence integrity;
- minimal reproduction using synthetic data;
- suggested mitigation, if known;
- whether any third party has already been notified.
Maintainers will acknowledge a complete report within seven days, assess severity and scope, coordinate a correction, and credit the reporter if requested and safe. Timelines depend on whether a third-party tool or platform must act first.
- vulnerabilities in third-party tools merely linked by this repository;
- reports generated entirely by automated scanners without demonstrated impact;
- social engineering, denial of service, or testing against contributor accounts;
- requests to disclose private case data or security contacts;
- claims that a public link is unsafe without a reproducible basis.
Report third-party vulnerabilities to the upstream project's security channel. Tell this project privately when a listed tool creates a material risk so the entry can be warned, reclassified, or removed.
Good-faith research must remain within this policy, avoid privacy violations and service disruption, use the minimum data necessary, and stop when unexpected sensitive data appears. This policy does not grant authorization to test third-party systems.
Previous: Contributing · Next: Code of Conduct · Back to README