Skip to main content
Found a security problem? Tell us before you tell the world.

How to report

Set up a real reporting channel before launch: a security@ mailbox or a SECURITY.md in the repo. This page is a placeholder until that’s in place.
  • Email the security contact (to be published).
  • Or open a private advisory on the GitHub repo.
Don’t open a public issue for a vulnerability.

What to include

  • What you found.
  • How to reproduce it.
  • What an attacker could do with it.
  • Any suggested fix.

What to expect

  • An acknowledgement.
  • An assessment against our security model.
  • A fix or a reason it’s out of scope.

Scope

Our security model sets the line. Some things are known boundaries — host side-channels, infrastructure takeover, and layer 3/4 DDoS — and won’t be treated as new findings. Everything else, we want to hear about.