Do not open public issues for security findings.
Preferred channel:
- Go to
Security -> Advisories -> Report a vulnerabilityin this repository. - Provide impact, affected versions/commit, and reproduction steps.
- Include proof of concept and suggested mitigation when possible.
Direct link:
- Initial acknowledgment: within 72 hours.
- Triage and severity classification: as soon as reproduction is confirmed.
- Fix coordination: private until a patch is available.
- Use coordinated disclosure.
- Do not publish exploit details before maintainers release a fix.
- Test only on systems you own or have explicit written authorization to assess.
Only actively maintained branches/releases receive security fixes:
develop(active development)main(stable release line)
Older snapshots and experimental branches may not receive patches.