We release patches for security vulnerabilities. Which versions are eligible for security updates depends on the project.

I take the security of my projects seriously. If you discover a security vulnerability, please follow these guidelines:

1. Do NOT file a public issue on GitHub
2. Do NOT discuss the vulnerability publicly until I've had a chance to address it
3. Send your report to me at: [email protected]

Please include as much of the following information as possible:

• Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
• Full paths of source file(s) related to the manifestation of the issue
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• We will acknowledge receipt of your report within 24 hours
• We will investigate the issue and determine if it's a valid security vulnerability
• If confirmed, we will work on a fix and keep you updated on our progress
• Once a fix is available, we will coordinate the release with you
• We may ask for additional information or guidance during the process

• We follow a 90-day disclosure policy by default
• We may adjust the timeline based on the severity of the vulnerability
• We will coordinate with you on the timing and content of any public disclosure

When we release security updates, we will:

• Update this SECURITY.md file with information about the vulnerability
• Provide clear upgrade instructions
• Credit researchers who reported the vulnerability (with their permission)

• OWASP Security Cheat Sheet Series
• Web Security Academy
• NIST Security Guidelines

For security-related questions or concerns, please contact us at [email protected].