Thank you for helping keep this project and its users safe.
We only provide security fixes for the latest commit on the main branch.
- ✅ Supported:
main(latest commit) - ❌ Unsupported: tagged releases older than
main, other branches, forks, and any historical commits
If you are running an older commit, please upgrade to the latest main before reporting.
Please report security issues privately. Do not create a public issue with sensitive details.
- GitHub Security Advisories (Repository → Security tab → “Report a vulnerability”)
- Create a minimal public GitHub issue that does not include sensitive information (no PoCs, exploit details, secrets, private endpoints, or user data).
- In the issue, request a private communication channel for follow-up.
To help us triage quickly, please include:
- A clear description of the vulnerability and potential impact
- Steps to reproduce (or a minimal PoC shared privately)
- Affected component(s) and commit hash / version
- Any relevant logs (sanitized) and environment details
We aim to acknowledge receipt within 3 business days.
Please avoid public disclosure until:
- a fix or mitigation is available, and
- disclosure timing has been coordinated with the maintainers.
We will work with you on a responsible disclosure timeline and will credit reporters when appropriate (unless you prefer to remain anonymous).