We take the security of our software very seriously. If you believe you have found a vulnerability, please let us know as soon as possible. We believe that a responsible disclosure process is mutually beneficial to both security researchers and software project maintainers, while also providing optimal benefit to users of the affected software.

• Submit your initial report as a PGP-encrypted email to [email protected].

• We will assign your report a case number in our incident reporting software and invite you to this case as a participant.

• We will work together toward a resolution. For you, this may mean providing additional details around your findings to help us identify the conditions in which the vulnerability can be found, and whether this class of vulnerability may be present elsewhere within our software.

• Any information disclosed in your report, at any time, may be publicly disclosed within 60 days of its disclosure to us, regardless of when the initial report was submitted.

• After the case is resolved, we will endeavor to facilitate public disclosure prior to the 60-day waiting period.

• We believe in responsible disclosure, and will agree to public disclosure after we have had a reasonable amount of time to patch the vulnerability and protect users of our software.

• We believe in giving due credit. With your permission, your name and a link to your public disclosure will be included in this document.

• This project is a labor of love from a community of contributors, so we cannot provide financial compensation for your work.

The following security researchers have reported vulnerabilities to us and worked with us toward resolution. On behalf of both us and our users, we offer these researchers our deepest gratitude. You make software safer.

• Your name could be here!