Tip
We encourage responsible disclosure practices for security issues. This document explains how to share your concerns with us.
Caution
Please do not make public announcements/discussions/issues/posts about potential vulnerabilities on GitHub or any other spaces!
- If this repository contains
THREAT_MODEL.mdplease refer to it first to understand if your vulnerability is valid and in-scope. - If this repository contains
SECURITY_EXTRA.mdplease refer to it and follow any additional directions specific to this repository. - When writing the report, please use Github permalinks when referencing any code in the project.
- With understanding that this is open source software provided for
free and you might not receive a timely response, please consider
encouraging your employer to support the project maintenance via
If you believe you've found a security-related bug, fill out a new vulnerability report via GitHub directly. To do so, follow these instructions:
- Click on the
Securitytab in the project repository. - Click the green
Report a vulnerabilitybutton at the top right corner. - Fill in the form as accurately as you can, including as many details as possible.
- Click the green
Submit reportbutton at the bottom.
Alternatively, drop an email to our aio-libs security mailbox instead of filing a ticket or posting to any public groups. It is currently set up to forward every incoming letter to Andrew Svetlov, Sam Bull and Sviatoslav Sydorenko. You can choose to email us directly as well. We will try to assess the problem in timely manner and disclose it in a responsible way.