We take the security of our software very seriously and we value the insights from the broader community of cyber-security experts. The disclosure of security vulnerabilities helps us ensure the safety and privacy of our users.

For all software releases, bug fixes are provided for 18 months and security fixes are provided for 2 years. For all additional libraries, only the latest major release receives bug fixes.

If you have discovered a security vulnerability in our project, we appreciate your help in disclosing it to us in a responsible manner.

1. Do not disclose security-related issues publicly. You can report them by using GitHub's private vulnerability reporting. This allows us to manage the vulnerability as efficiently as possible and minimize the risk of malicious actors exploiting it. Please refrain from opening a GitHub Issue for this purpose.
   • Alternatively, you can send your reports via email to [email protected]. Please encrypt your email messages using our public PGP key (shown below) to ensure the confidentiality of the information.

     -----BEGIN PGP PUBLIC KEY BLOCK-----
     
     mDMEZkp9NBYJKwYBBAHaRw8BAQdAdTRfZg2K5ptLWTFiEQDhc8kLBqZWnAx4DKfu
     gk/f9+60IEJpbGJpbGFrIDxzZWN1cml0eUBiaWxiaWxhay5kZXY+iJMEExYKADsW
     IQQg4gWawAA25Z/owGcZxUf58ATw3QUCZkp9NAIbAwULCQgHAgIiAgYVCgkICwIE
     FgIDAQIeBwIXgAAKCRAZxUf58ATw3aMWAQDejElRIR3JoC7XxkRdeXO2JCxpJ3ky
     agYpzkNvnPglJAD9H+MG5aFKChFNWpjv6Ioc7KQf0rMrkkffYNz7OlcvKgq4OARm
     Sn00EgorBgEEAZdVAQUBAQdAk08YbPDnVhP80MbK3Dz8+3NPB/LPjJq/M4XQCySt
     uVYDAQgHiHgEGBYKACAWIQQg4gWawAA25Z/owGcZxUf58ATw3QUCZkp9NAIbDAAK
     CRAZxUf58ATw3cuaAQCyHctmCEhBImx1BalWeRnyvFpLh9fr8OORBv49i3iVcwEA
     zGeET/PFrEeSafEb/Z7190x/HTt/uFasTYx7v1Xm8wg=
     =vutj
     -----END PGP PUBLIC KEY BLOCK-----
     

2. Provide detailed reports. Include as much information as you can to help us understand the nature and scope of the vulnerability. This may include steps to reproduce, affected versions, and potential impacts.
3. Stay in contact. After you have reported a vulnerability, we may need further information from you in order to verify or address the issue.

1. We will acknowledge your email within 48 hours, and will keep you updated on our progress as we address the vulnerability.
2. We will validate and confirm the problem. After we have received your vulnerability report, we will work to validate and reproduce the issue.
3. We will address the issue as quickly as possible. Our team is committed to patching vulnerabilities swiftly. The time it takes to release these patches may vary depending on the severity and complexity of the issue.
4. We will publicize the vulnerability only after we have developed a fix for it. We will give you credit for the discovery in any public reports, unless you wish to remain anonymous.

While we appreciate every security report, some vulnerability types may be out-of-scope, such as:

1. Vulnerabilities in dependencies not included by default in the project.
2. Vulnerabilities requiring extensive user interaction or unlikely user behavior.
3. Issues that require physical access to the user's device.

Please understand that this policy is meant as a guideline, and we reserve the right to make exceptions based on the specifics of each case.

🫡 Thank you for helping us make our project safer for everyone! Your effort is commendable.