Open Source Security policy
Reporting a Vulnerability
If you believe you have discovered a vulnerability in one of our open-source projects or have a security incident to report, use the "Report a vulnerability" feature from the "security advisories" section of the related repository.
Using this communication channel (english as a preferred languages), we will be able privately discuss and fix the security vulnerability.
❌ Never use any other communication channel to report a security vulnerability
Vulnerability disclosure policy
We believe that vulnerability disclosure is a two-way street. Vendors, maintainers as well as researchers, must act responsibly.
This is why we adheres to a 90-day disclosure deadline.
This policy is strongly in line with our desire to improve industry response times to security bugs, but also results in softer landings for bugs marginally over deadline.
Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities.
In our opinion, vulnerability disclosure policies such as ours result in greater overall safety for users of the Internet.