We take the security of our project seriously. This includes all source code repositories managed through our Github organization.

We follow the MITRE.org definition of a "security vulnerability":

A weakness in the computational logic (for example, code) found in software that, when exploited, results in a negative impact to confidentiality, integrity, or availability.

To be clear, not all bugs or issues are security vulnerabilities. Security vulnerabilities are those that could be exploited to compromise the security of the system. Examples of issues that are not considered security vulnerabilities include:

• Feature requests
• Performance issues
• Usability problems
• Expected behavior
• Misconfigurations (unless they lead to a security vulnerability)

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report any security vulnerabilities by submitting them using GitHub's Security Advisory. This allows us to handle the report confidentially and coordinate a fix before public disclosure.

When reporting a vulnerability, please include:

• A detailed description of the vulnerability
• Steps to reproduce the issue
• Any potential impact or severity assessment
• Your contact information for follow-up questions

We will acknowledge receipt of your report within 48 hours and will work with you to address the issue as quickly as possible.

We appreciate responsible disclosure of security vulnerabilities. Once a vulnerability has been reported, we will work to verify and fix the issue in a timely manner. We aim to release a fix within 30 days of receiving a valid report, depending on the complexity of the issue.