If you discover a security vulnerability, please report it to us in one of the following ways:

Send details to: [email protected]

Report through our GitHub Security Advisory page

1. We will acknowledge receipt of your vulnerability report within 48 hours
2. We will provide an initial assessment within 5 business days
3. We will work with you to resolve the vulnerability within 30 days
4. We will publicly disclose the vulnerability after a fix is released

We consider the following as security vulnerabilities:

• Authentication bypass
• Data exposure
• Remote code execution
• Denial of service attacks

The following are not considered security vulnerabilities for the purposes of this policy:

• Reports from automated scanners without a proof-of-concept demonstrating a specific vulnerability.
• Self-XSS (user-based cross-site scripting) that does not affect other users.
• Issues related to software or protocols not under our control.
• Missing security best practices (e.g., missing security headers) that do not lead to a direct, exploitable vulnerability.

Thank you for helping keep our project and users safe.