Please focus your analysis on the latest stable version of the library.

If the project maintainers deem the issue to be particularly significant, a patch may be backported to some previous versions.

Please privately report any vulnerabilities as a Github Security Advisory (or you can email security@philippheuer.me and gitprodigy@proton.me).

We will acknowledge the report within a week and begin investigating. If you do not receive this acknowledgement, please nudge us via Discord or a Github Issue, but refrain from including any details of the vulnerability in public forums.

Our vulnerability disclosure guidelines are similar to Google's Project Zero rules.

Once you report a vulnerability, we have 90 days to make a patch available for users. Once a patch is released, you may publicly disclose the vulnerability details after 30 more days (so users have time to upgrade). If we do not release a patch within this period, you can publicly disclose the details of the vulnerability without further delay.

If the vulnerability is shown to be already exploited "in the wild," the 90-day period is replaced by a 10-day period. However, the 30 additional days before public disclosure still apply, if we are able to publish a patch within the period.

Lastly, early disclosure is permitted only if mutually agreed upon by the issue reporter and the project maintainers.