Please use the GitHub mechanism for privately reporting a vulnerability that is described here.

1. Go to this repository's security tab
   • In the top menu bar, select "Security"
   • Select the "Report a vulnerability" button

2. Click the "New draft security advisory" button to open the advisory form - an example of this form is shown below. Fill in as much information as you currently know and whatever you think is relevant for the vulnerability you've observed.

3. Once you have filled in the draft security advisory form, select "Create draft security advisory" at the bottom of the page to submit the form.
   • The admins of the repository then will receive your report and can discuss the vulnerability in a secure fashion with you.

Upon receiving a vulnerability report, we will commit to working with you to find a suitable fix or mitigation strategy. We will work with you according to the the following mutual expectations:

• Response Time: We will acknowledge your report within 24 hours and provide an initial assessment within 72 hours.
• Fixes: Once the issue is confirmed, we will work to issue a fix as soon as possible and will keep you informed of our progress.
• Non-Disclosure Policy: Please do not disclose the vulnerability publicly until we have had a reasonable chance to fix it. We will work with you and inform you when the issue is resolved.

We gladly welcome patches to fix security vulnerabilities! See CONTRIBUTING.md for information about contributing to this repository.