To report a security issue, please publish a private security advisory with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
Our vulnerability management team will respond within one week to your email. If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it. This project follows a 90 day disclosure timeline.