Please report (suspected) security vulnerabilities to [email protected] You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.

When we receive a security bug report, we will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:

• Confirm the problem and determine the affected versions.
• Audit code to find any potential similar problems.
• Prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible.
• Prepare a security advisory to be published on the GitHub Security Advisory Database.
• Contact the original reporter to let them know that we have a fix and are preparing a release.

If you have suggestions on how this process could be improved please submit a pull request.

This Security Policy is adapted from the GitHub Security Policy.