If you believe that you have discovered a security or privacy vulnerability in this open source project, please report it using the GitHub private vulnerability reporting feature.

Reports should include the product and software versions that you believe are affected, a technical description of the behaviour that you observed and expected, the steps required to reproduce the issue, and a proof of concept or exploit when available.

The project maintainer will do their best to acknowledge receiving security reports within 7 days. This initial acknowledgement is neither acceptance nor rejection of your report. The maintainer may ask follow-up questions while working through the details.

Do not include credentials, tokens, certificates, SSH keys, API keys, personal data, private hostnames, or proprietary files in public issues, tests, examples, logs, or screenshots.

Known, publicly disclosed CVEs can usually be submitted as normal issues. Output from automated scanners should include enough context to show why the finding is exploitable in this project.