I welcome feedback from security researchers and the general public to help improve this project's security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of the project's assets, I want to hear from you. This policy outlines steps for reporting vulnerabilities to me, what I expect, what you can expect from me.
When working with me, according to this policy, you can expect me to:
- Respond to your report promptly, and work with you to understand and validate your report;
- Strive to keep you informed about the progress of a vulnerability as it is processed;
- Work to remediate discovered vulnerabilities in a timely manner, within my operational constraints; and
- Extend Safe Harbor for your vulnerability research that is related to this policy.
In participating in the project's vulnerability disclosure program in good faith, we ask that you:
- Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting the project's systems, destroying data, and/or harming user experience;
- Use only the Official Channels to discuss vulnerability information with me;
- Provide me a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
- You should only interact with test accounts you own or with explicit permission from the account holder; and
- Do not engage in extortion.
To report vulnerabilities please email [email protected] and include:
- "SECURITY" in the email subject line
- A description of the issue
- Steps to reproduce the issue
- Affected versions
- Suggested mitigation (optional)
When possible we recommend using encryption to report serious vulnerabilities. You can find our PGP Public key below and in the project's security.txt file. Please reach out to the contact address if you have any issues or prefer an alternative form of encrypted communication.
PGP Public Key
https://keys.openpgp.org/search?q=9AEC89F0B43B891754292434C0394F55B26FEB90
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGKSnNEBEACogRUbElf5CCH4/jzncwaGFklDJbD+GcvuMaZcvQBEUiMcp2LS
UCzBH55qmGai1kJPsAWDtWX7hqepcri48kTBqkXZtWPvqKLnwBegJKnyi+6AiO4O
LhgnphNVr1eoWMsaW3+pdMHJX7vJu6K3XJdn3qJ5sUWilPdRcSJbaAazdPBobBKk
ZBNfRg7Bq5+xJz/suYHl0U8Of2ADkfTSeBvtgIgXYR9rRTWTzpak7pm22M61ArqA
9RYqU0wJPRH2GUKJehe7oDjSJekcPHJLDENo8w7m/n4kiX8CmkzJGATcASrR0Her
oTDldatbo10TAcHxxtd2k2txZMLlfy6tGQDyQ1oBy31Q2sJ9Gq8c1YdzqAHLN11g
7qNlfBIrgbyLpYCto/kqmVpDEFApMmE7zFd765iuQQUfO/Cv5UlXqRIqpm3NJZDv
QQM8p8R9f44BFUjzmsBfnNx+4o+CjpL9LjnZ0Mn4NfpFwlQjrPE+ThY9JLb5MxF9
i+lmS2JfLAPu+YhGtR9RSZ02KtKNC+I9Hp2bIg21z2GeciaaV1dEYyDoB8WjDfjp
vrEBQ5+esKkz0B5p263PM5H5rDx6eIMoMtRJHT3+/k1MMtNuNHuiRtKfAK0YCNNA
1zznS0JbRkRIje0846OsTN9E3hVI80KF3rPUxOMXgksGsvt4Nd36fp8F2wARAQAB
tCtXaWxsaWFtIE1vcmxhbmQgPHdpbGxpYW0ubW9ybGFuZEBnbWFpbC5jb20+iQJP
BBMBCgA5AhsBBAsJCAcEFQoJCAUWAgMBAAIeBQIXgBYhBJrsifC0O4kXVCkkNMA5
T1Wyb+uQBQJik3TqAhkBAAoJEMA5T1Wyb+uQZZ4P/iBbfMuBZBqKxtAqcX22pKBz
0h6TLP0h96/OkCGtOxgHqCAIjhCbwHoCdzsS0fUjuWdIiKhlrHOwLfMCs6pJNfHv
zWA9Q8ueeNwIVwNa6VLng3GePjq3rKgE+ioDvMeD13L8XOWPmf2c2uy+nJ02UVPP
LGY3u3Y6CfKrCIXpJo+6FKLgIjQi1GPKyJfXcNGuLrTUAgXq1SBPKWEzL8v1rrrt
kdua7RbDQ+wCHHMUT0CoAYCsvm/Ex0LbIAcAul71V//TiayATkkRk0iquy/k2H4T
6e4dkNVt1QIbdJzUeKYXlY2la5dVUoeGs+DgiW1OzWq6mmWbcJPEA2ECReqFJDvb
gzpcO3JMnwTiZqjmIF4zEtLONQyfK89IJtI/BAB9i7O1RiNBBS/7ZYmjA25hyr1o
OZFaK+ykvLRuvmobTnjujlcmzmU4J+NgRsjk/fg8jPbkuEkSwYosuORAd/CAM8cN
MxvfHHx5FbDne6NRM0XikOEN52mNReXYoC0mrA98ZKNMjt1+YeXx0naukNmKVibC
/kggU6FTKogfdHb4t7GGqcCIq3bltrBBm0u3e+JyhyQe4PCKIoQ2WGNY9EKCQ4Ef
CFgK5iWxsR04QYnQP2qBtFVfTFQqAPSzDYUdJbPG/Xsh2gEa2eombkrR4UGSUEOO
s6fM5uFV+1nYEdWAzhPqtCtXaWxsaWFtIE1vcmxhbmQgPGdpdGh1YkB3aWxsaWFt
bW9ybGFuZC5jb20+iQJOBBMBCAA4FiEEmuyJ8LQ7iRdUKSQ0wDlPVbJv65AFAmKT
dS4CGwEFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQwDlPVbJv65DUfg/+OkrT
VDMBHe/Y7yXhKRhdVhBFmthIUYxpiM8FGsu6taXDryYXjJcF/LdGzKAXqdHY2Dul
daj2zFK9V05xZ9/jEUBqo1iQlaqqebelie3bWAgJWBo8+smqzbXUh8Xb6qzMSpJo
H/aJG6tv63TYZcskXIm9L295ZGX0xfjIH/ID9PTnH5jTV39iBXGJjJe7PMeZAR5x
HAkDb6O0PJgCJxDsP80by44i6DU2jW7/FZBATEFMgr10hZVb7DAjWPvQv5b5YBjv
7NFfkRhKP0KbOv3MEeBWn/57ajwES3bl6ZmQgt8mLE/Cjp0dD4JMEEILiVNNkttL
JcShIG4MJhlpQWM4O13u9Ygc2kOePhjBK71pSj1CsuLuvBgc0o15J5uQ6zb01wuD
LMhGf6O/YfbAeu2KavvlkOU/HStG+eY3niE3WEn+jtRwPOl6Tjo/BSehLw8FulQg
o5XamfzA/UD68MzOZAnx22Nj8HtWDrOIlEJnNjF6bgE1IRxSsZ5McXgLuSup6Xgx
OhudpRbHxfs4rNihomwvm8ZzhxJ8w7iv24BESMHt0QPu0J3ZLwbv4HG2v8NtZN56
qdOJWKY49lG2XHh7aYiwnfSAVXlz4Hi1krU0CKHZrln1WenuqqtDIYHSrby3C6NY
omH7IAGOoYIhLnuUem/DO73RzPmJWHqUk+cE1cC5Ag0EYpKdSQEQAL9vNyNkLdud
nhSNG4yoPfLU982ETqzw6bQFjYNnvByOkvin/24TPnhJM+I7X9mm/+lqW7veqXrZ
4w3H1yLGTb8vQQ4sJSTj0rbiEEW4bwkg+svYFOSANoG4iCb+uy2R+f9Wa0hSXeJo
sIFda41mhLhVu2vw7sHxIsMcmKDuKdIJsyP52IMxmWa2UCwv1JQcNEF/e3SV/Mn2
ecK1ZalMmd04r7nQCfQY188sEkZrxgHgq1YvhDP6CvIbNHbvcwdcICNKySzkJRn3
oNIph2nwWJ9Z0JEkLmaWszoL5nwge9ftoXOASyRqNYmyqvJEdyDUNPU386avFv8t
R6fskShTZ6O4XVsYi6+TqoXhZJbp8QgHZMLO6Or6tvFu/4+Exp6HuXvwbTrXVCRj
wCdHsvAialKroHU+iN9U/KFN4qWfAZ9vIvBxBt+Wis5GKX7+B6Du0VULCP5je7zQ
V5E6kypRtPHa4cIIA3LGAKus8h5BR1zNn/jESafy+dxtysV0yS1D4idTAncG839I
Ts0jryAuW9qNdpfdoybhar/yDwg2+8rpEOdi4asoLTGFecYhBSYvrQBSam2hG8ti
SgIF7BJOuxHbltnFof3ImQWv3Uy+L/2Y4RU0tLFyj56bF+NMaS7hSCNvzKBnRN6u
MPbK3FibEHX+1K/O34/2AWRJthstPTM/ABEBAAGJBHIEGAEKACYWIQSa7InwtDuJ
F1QpJDTAOU9Vsm/rkAUCYpKdSQIbAgUJAeEzgAJACRDAOU9Vsm/rkMF0IAQZAQoA
HRYhBMP8d6E0SI9cnKEwpFxkMJa8N/JHBQJikp1JAAoJEFxkMJa8N/JHyf8P/0TW
yPRmI+80ERODidNyMb/3CdY8P9j2MQq9oOLEnV0zmlSMhAQR0bCGAt6jA+SBnvVq
1idEugIf+W1YnlYkxpTf8wrBGcxdjuZTUgVlAs5idWN2QDEUEXBdL231HktKV3vN
HsQJ2sWx4lW6Zp/oexDNqAkdjvuoNakIqq0NNJT3XM0s00Oxki2C7uPrcqy5S0zD
Vh/Ls0q1kz8XrDAJ/ZysQAZFGzyJD/OUd54EnlIeHxt5Qhis3Of6xYV6Ix1+c5/c
B3effxcXo0dL7FCEQpNaYKcRkO70YGGL0UE2izamm56QJxADPyrrKnqT6/ru2w16
8UaY3FvdZjceeT7pkf9Vh/qhBfpi6OCQIscHCTx+D0bP5320c2A48EZHqNY61TcO
JH5yZmHe4cjd/5AJaZAefxdieUkQvnPfJYcp7PKsuXxzaKaJRVldKpMhutRR77cI
vpBTfrQhiYPCEuQ85lhajqnZJlwHptfLd///OT5ZebDz8vJ3/tRrApQSgCf8bXMx
ZnrL2EtyV+wAxAbdWAkm4CWiWP19g+2DNEOvKZNqmg7pJ5P3MAk5tutBShuAxUk3
7NxW/vnvtSgda2iZoV8R958SY3lk2ePNViNnk8CF7ba3+6jU6KriaBhbONcubKYc
Jmg64DfTV7NyagBCqeoIfN8REK4zcZq/prgIzvnGMYoP/16vJeRUR47xqy/edg2N
ShOeyxCuCXbmNO+LtXuDgdgSsjMldUDrwzxzaFvYHBw43CdigT6rS/sAJIAy6EU0
lg76KhJ8AhaCZ4sE/S7qmD9dEIwRwVOEgGXp48W9ZYvOrz4cs/xAiBp7w4Ea/6sv
tl6/HFKKOvKmTQMZTcIUL7tNWhKokx2aW9aZI00hd2sa1D/36nkx/xLQ3sPJPUyx
or1DsF8eVJPTQYmvh7M9M8oQbSjZD4ZIZe7E54s4LOjCoU7xTgNRw9/8MhTxLc72
lFYMZlMrF3O0QJJqHKE+5PVoWX3rdAb6HBx2LiTMTtJaqodcdoMvV0xxgmotRC8D
FfoqeDJouY22vfGjst4PZ7/JBDNrtoCzEmNApiIHG2KjgsCViJu0XQYNG4TklIPI
piUPy2ITGt+ufuEFgMVBlmmsMGHMZqqopnj3tYFXrAKElsKCwq3n0cDmfwXGJkE9
shXNtrhzArogRM7GMK9G+dWp5yYUMOb9SV/5xBTj6Gwm976JQcugxH1Byyh08BMm
7X2aLQlEe/0j+O8ffcY42R3CK3UeBHosXmxsZYzQnJ3WX8zr0Nw5CId/g4KVa2o2
e5aRhMDX00z+P7ZS1s07QWPZEJKax7tTZY1/L0KNzkXguyW7cbXd3IiJ4ZpGvwWD
QfK7555XILc0cO9pOt7GYdnuuQINBGKSnYEBEAC9Xh6yQwdlsVzIzag1vrBmA0kl
HWvhtb4xZrNtIXNRasKblSnW0s+JRf0vdaGX7berlcl7oIVntPLg1g45iypZSuP1
cYN0F1rsqVmu51p5YUvU1r4xhf295eRkLd7rrIU4knOcLjVwR6D/pqm4RiDsBK5g
4HDYhMuTB9WU+ARHwjtyP5IPrWuC6cw8QkePi7zP6oUILuvf5c+FM2iEzRFTjlFT
T2FC5lwcmWRowBN87uXj4USbJ9lIChLMeezK3K9dimh8S2bKQhSBv4BwGhTeVmzl
Dc78fu6g5d/4n4PLMAA2Mr+wmnRHBx4KVQ1HWg/ealT+vQj3376CrmlmmNkcPPmu
HQ1ND0ssHb6iI6GVJmx6Km/q/Twd3F9lPwi1D2flfc+y4nzhyDYpOTOx+NiyoSpv
LHXvQ/5IvADzwbrPlskK2QcFj/QwpDktbbi/Urw1iSD0lPAbbwUL/cTiWiG725w0
Uew0eY8pABeDBlTvS6U35fsi//kJsT5wEjQT3LOomwdqjnGdxYF7dimGMFobRYZL
67sS4yDQYXODxIR2EmevJgGB0WRowY2dn3osLFT1VLOMfR7F5haY/4S7F6KHwGME
Vgp5IlAgUS/zVRSz6HrqxxHi8C/zrPxrgGYoLxKm4qglnki8BQp+/DlG9xEv7rQR
QU1Ap2H70KsXpP1PjwARAQABiQI8BBgBCgAmFiEEmuyJ8LQ7iRdUKSQ0wDlPVbJv
65AFAmKSnYECGwwFCQHhM4AACgkQwDlPVbJv65Cm/w//R8jeMVHIYBtlHkNfJdm0
/yt6TvXaCUp2Ayj/m9fvJYuY6PcdpCdMtKOpiOPPQfdUuXHv0eHivx2bqzkXwAHw
3v21bHUSiY/y2MMbqAJoRKdtIjXmetBGHNeW+dlCg/vfGBGYXnbq0pQznVwKyi09
gqXngr5EdWIgnX3+4avrxSBkTKyZi3KiWJ/QXD+c2K6i3libd+zHfGGGlMkQfFeO
f6eCrF4pzIlfSLggNhnxhudXfxyqKOJOEwKoOSoAnpGwQhyBZZehquh5jSyfHwRH
dS+uuMiVx9WH5VlItqyTfDc/XY6oAvPpIuoaWKNdKgo2PwxyZIpb1XECHLt2eQ0n
jjAPy76mP/yz9Xxf6O8Ht7K5PRmf2htFR1PM7oJGEyD770GBTu0ACIuSs39FEZNY
6TydzBfZV1Wa6Y31FbZU1ZOdIcZbYX71KqGbqvQ/LSKw0uHtaLqYMDgIIImgChYO
eP9vufmwJvyvMkc6Ftzw8ZQkGhkkyvwcBZbb6BQo7xkd5nEch87F7y7NBy6FcC/O
sQt1fCCOfY+3UOBkNxPUe0EMNH+smj057lVpsiH/6wSYh657SRxPAF8IV+dKI9hh
tlpCi2Q1U1lS/NN6VNoSgIDTroh3G/vw4lmiEWhusqCFIRr39/hfuZGJQ3euxPcP
i6NmHDJdGA1YveVXPfGlWPi5Ag0EYpKdugEQAMDc7/TdXSi0lAfwQls54NVfavmv
dumX+A7hseK3rZugfzepMs3716AxbPYhKRGn5bwv0426vrDnqdtI39yg1ZMLyphX
6tV5XstpLXWWbj1utUT+uOZRExhyX3Izz5s7KM+dUKLiL8cvXyEnlCkKkrRG9wTr
tAX58K2a9ErpuxovUYLIvi10pLds+04E7LFNmRIBBYfDRu/JwALvaauMHwxrZHjg
nmyRszamTFLM4mDueZgFd8IPK5NELPICcfl1uskZG/bflWsTpj+3Jd01KcWHwhnM
yBa7vPjqsVTyjU+8u/VIq94IAYI1BPYC5+k9AP6BQgk1+grv2v17W9FwULjFOGyI
ZuFk243msAshc52Jai/Fs193BX01+XUwCpODLawzcKDn7kwmr86A5fXFyOKYy46b
n3+jGIG8qLjqbLZwYOZsI6lFOQSrx0fOk9quIFjQ0oMPc36qFT9gaYoX4tE2xtMi
W/Hr/OsJ3j6tdm+kZIScQezCXB2x4oFqIuo5iAhnRB7SdIri3Scix4qwwVb+MEoq
SyvyD4iVZAtbIVsZaZnOQk+owp75ojQXiUr5dspRo+WPN+/eCm+W04fZpOs1f61h
6QITf4A538F6O4wxTpgWndaa7Y3b93LBz6HBIF6E2vONJeLA55luRqSYAfm4czHx
RzWZ6ps6gZsI7povABEBAAGJAjwEGAEKACYWIQSa7InwtDuJF1QpJDTAOU9Vsm/r
kAUCYpKdugIbIAUJAeEzgAAKCRDAOU9Vsm/rkHaTD/9xc57AosdrHLblT3xq6wuv
/YeNHSiMMktE0KLXBAmCTkIp3Z8n44ZuQjqCXXjVUuBf6mDuICnTkJUqOHV19g0p
2m93H5eHBcnFVYnMNv/Lefohpd+8GO2PAKaFTyAt3mn1QZnq921MfM70ywI/0uyu
Vf0TOj3C4Aqfw2qY4pjoyp/PldeNb/lEwjKchUm0/iqRhx8pXKbIgC4y2+VX8GZH
lGqlRhcQfRnKg8GQKyWVBORZ8gD6saedwtNfA2wOLgNbd53Xo4WhfUHI9Y0icBho
yLcLTmjzmqWr1kkSz7dp3DjUWKHGq0Gn1+/qSdKU7VoJ9tpcWzBJ7yq6OW941IDP
hkcDOlO15ewI1NRypLbL4eu1wEmdBTJ7Rle/re5evNxr4uS2WTgcD5Mf5xFFXfG+
t5v9yiSEU/oMlMdRK8Y+ZxEyxtF2BZhSNuUzWZZGzRKrp7zHZ702UMC/B2WxdTpZ
2GswQXK8V4/ieeFbvWA8hVWfVeHbZCnkv9HdhjPCIrayrt6OzPfIfpUid/gjTqRl
HU/WYmGKI8l504p6RdJ7s9j3PFf5KKzUl3O4/6IuCVgv5y8+0LCZbG9Leb8A3NHt
R5smX7zN009+ztiXJax2uSIZ878fmF8OpRB54d+N6lMaWLn9dK4QAQkb66UXpDQ4
ZAG/MKT9kWU/Uj0Slf1YmQ==
=YAxd
-----END PGP PUBLIC KEY BLOCK-----
When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:
- Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
- Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.
- Credit to https://github.com/Trewaters/security-README for helpful guidelines on setting up security files on GitHub.
- Thanks to https://github.com/securitytxt/ for their work on standardisation.
- Thanks to https://github.com/OWASP/ and particularly their Vulnerability Disclosure Cheat Sheet
- Thanks to https://github.com/disclose for their Safe Harbour and other terms