The recommended way to report a security vulnerability is to privately report it via GitHub. This allows us to review the vulnerability and plan our mitigation and communication strategy to minimise the risk of it being exploited. While full transparency is desirable, there is a risk inherent in disclosing an unpatched vulnerability that it will be exploited before we can mitigate it.
We commit to responding to any reports within 14 days of receipt, and to work with the reporter to resolve the vulnerability promptly.
We commit to disclosing any security vulnerabilities to the community within 30 days of receipt, unless doing so would create undue risk to the community. We also commit to acknowledging the reporter of the vulnerability for their contribution to keeping the community safe unless they choose to remain anonymous. Please don't hesitate to let us know your preference when reporting a vulnerability.
We also commit to resolve security vulnerabilies on a sliding scale based on the severity of the vulnerability. Our goal is to resolve all privately reported vulnerabilites with a CVSS score of medium or higher within 60 days of receipt, and all privately reported vulnerabilities with a critical severity within 30 days of receipt. If the vulnerability is already made public via a third party, we will strive to expedite resolution to within 30 days of publication for medium or higher vulnerabilities and within 7 days for critical vulnerabilities.
Please do be aware that our projects are maintained on a voluntary basis and that we may not always have the capacity to meet these objectives. But these are the standards we will try to uphold.
These policies do not constitute a legally binding obligation or contract and should not be interpreted as such. These do not supersede the terms of the project's license, and where they are in conflict the terms of the license take precedence.
In particular, please be aware of these two disclaimers carried by our default project license (AGPL-3.0-or-later). But always refer to the project's license for the full details.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee.