Read this in other languages: English, Русский.
This document outlines security procedures and policies.
- Vulnerability messages are accepted by email at [email protected]. Any ISSUE or PR with vulnerability notification will be immediately deleted for security reasons.
- In the heading of the letter indicate that your request is related to security. For example, use the words
SecurityorVulnerability - In the letter indicate in detail all the necessary information. How to use, mentioning vulnerabilities in other sources, etc.
- In the sender address, use only the existing email to receive notifications about the progress of the request.
- After receiving and verifying the request, a notification of the result of the verification will be sent to you.
- If the vulnerability is confirmed, the notification will indicate the priority, as well as the possible correction time.
- Once the vulnerability has been fixed, you will be notified of the completion of the review.
- The time period for the release of a fixed version with corrections depends on the priority of the vulnerability.
- Verified vulnerabilities will only be publicly announced AFTER a release is issued which fixes the vulnerability.
- All announcements will contain as much information as possible, but will NOT contain step-by-step instructions for the vulnerability.
- At your request, we can mention you in the update as a person who found a vulnerability. The mention may use an email address, full name or nickname of your choice.