The Icebox team and community take security bugs in Icebox seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

To report a security vulnerability, please use the GitHub Security Advisory "Report a Vulnerability" feature. This can be found by navigating to the "Security" tab of the Icebox repository on GitHub.

Please do not report security vulnerabilities through public GitHub issues.

When reporting a security vulnerability, please provide the following information:

• A clear description of the vulnerability.
• Steps to reproduce the vulnerability, including any specific configurations or data required.
• The potential impact of the vulnerability.
• Any known mitigations or workarounds.

When the Icebox team receives a security bug report, they will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:

• Confirmation: Confirm the problem and determine the affected versions.
• Solution: Audit code to find any similar problems.
• Release: Prepare fixes for eventual release.

We aim to acknowledge receipt of all vulnerability reports within 48 hours and to provide an initial assessment of the vulnerability within 72 hours.

We will coordinate with you on the public disclosure of the vulnerability. We prefer to fully address a vulnerability before public disclosure.

Thank you for helping keep Icebox secure.