Please do not report security vulnerabilities in public GitHub issues or public GitHub discussions.
Use GitHub private vulnerability reporting to submit security reports. This sends the report directly to the maintainers without public disclosure.
Use a private maintainer contact path for:
- command injection risks
- unsafe file writes or path traversal
- secrets exposure
- unsafe patch application behavior that could cross trust boundaries
- supply chain or release integrity issues
- other vulnerabilities that would create unnecessary risk if disclosed publicly before a fix is ready
Use public issues for:
- ordinary bugs
- feature requests
- design discussions
- documentation problems
- non-sensitive regressions
Maintainers should:
- acknowledge the report quickly
- confirm whether the issue is reproducible and in scope
- work on a fix privately when needed
- publish a coordinated fix and advisory once it is safe to do so
GitHub private vulnerability reporting is the default private channel for security reports. It is not meant to become a general-purpose private contact method for product ideas, support, or partnership requests.