We take the security of the project seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via our disclosure submission program.
We prefer all communications to be in English.
- Security report received
- Security team acknowledges receipt within 48 hours
- Team investigates and determines severity
- Team develops and tests fix
- Team prepares advisory and patches
- Advisory published, patches released
We support safe harbor for security researchers who:
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
- Only interact with accounts you own or with explicit permission of the account holder
- Provide us with a reasonable amount of time to resolve vulnerabilities prior to any disclosure to the public or a third-party
- Do not exploit a security issue for purposes other than immediate testing
We review security reports for our dependencies and follow responsible disclosure guidelines.