I take the security of my software and services seriously. This includes all open source software I create, maintain or help to maintain.
If you believe you have found a security vulnerability in any repository I maintain, including this one, please report it responsible to me as described below.
Please DO NOT report security vulnerabilities publicly!
So... DO NOT create a GitHub issue for it ;)
Privately and confidently, send me a detailed description of the vulnerability you have discovered using an encrypted and authenticated channel. Personally, I prefer this to be done using PGP encrypted email. Contact information needed for this is listed down below.
In the report, please include as much information as possible, including:
- A extensive description of the vulnerability.
- How it could be exploited.
- The potential impact you think it would have (e.g., DOS attackable, privacy concerns, leaking of credentials).
- Steps for reproducing the vulnerability.
- Code (if any), that is needed for reproducing the issue.
- If you have an idea for a fix, patch or any other adjustment for mitigating the vulnerability reported.
Sorry for the long list, but providing as much information as possible allows me to act more quickly. Make sure to write your report in the English language.
Please take care not to violate the privacy of other people in your report. For example, stack traces or exploit scripts sent to me should never contain private or personally identifiable information.
Give me at least a week to investigate and respond to the reported vulnerability you have found; and up to 60 days to fix and distribute it. This includes a window for existing users to upgrade, patch or mitigate the issue as well.
If you intent, at any point, to disclose the vulnerability to someone else or maybe even publicly, please give me a reasonable advanced notice.
If any dependent projects are involved, I will take care of informing the maintainers of those projects as well.
Unfortunately, I cannot offer a paid bug bounty program. I will, however, give my best efforts to show appreciation towards people that took the time and effort to disclose vulnerabilities responsibly.
Me, and the open source community, will be forever grateful.
Oh, and if we ever meet, I'm happy to buy you a beer :)
Please contact me, Jochen Schalanda, directly on:
[email protected] (not for support!)
GPG Fingerprint: 1EA6 C4F8 4527 2CB7 5C32 5A67 1214 3BE8 7AEA A321
https://keys.openpgp.org/search?q=1EA6C4F845272CB75C325A6712143BE87AEAA321
-----BEGIN PGP PUBLIC KEY BLOCK-----
xjMEYwotyRYJKwYBBAHaRw8BAQdAmNR0fLidan0puuSW0zQRjSsVqN7OilU5aAEl
I/zZfBjNJkpvY2hlbiBTY2hhbGFuZGEgPGpvY2hlbkBzY2hhbGFuZGEuZGU+wpkE
ExYIAEEWIQQepsT4RScst1wyWmcSFDvoeuqjIQUCYwouLgIbAwUJB4TOAAULCQgH
AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRASFDvoeuqjITr8AP9afHLt3Ija2+VT
TUme4PDyYe6qnJu31GLlCNlnVhKrKwD/RFWIoxZ3dPwIqCKKDYPSHbDNQTPSvtzR
mp2SkAHfUgHNKEpvY2hlbiBTY2hhbGFuZGEgPGpvY2hlbkBzY2hhbGFuZGEubmFt
ZT7CwzsEExYIA6MCGwMFCQeEzgAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AC
GQEWIQQepsT4RScst1wyWmcSFDvoeuqjIQUCZZFlvjsUgAAAAAAQACJwcm9vZkBh
cmlhZG5lLmlkaHR0cHM6Ly9ndHMuc2NoYWxhbmRhLm5hbWUvQGpvc2NoaUAUgAAA
AAAQACdwcm9vZkBhcmlhZG5lLmlkaHR0cHM6Ly9jb2RlYmVyZy5vcmcvam9zY2hp
L2dpdGVhX3Byb29mUBSAAAAAABAAN3Byb29mQGFyaWFkbmUuaWRodHRwczovL3R3
aXR0ZXIuY29tL2pvc2NoaTgzL3N0YXR1cy8xNTg5Mzc1OTg3MzgwNTQ3NTg0SRSA
AAAAABAAMHByb29mQGFyaWFkbmUuaWRodHRwczovL25ld3MueWNvbWJpbmF0b3Iu
Y29tL3VzZXI/aWQ9cmVhbF9qb3NjaGk/FIAAAAAAEAAmcHJvb2ZAYXJpYWRuZS5p
ZGh0dHBzOi8vZ2l0bGFiLmNvbS9qb3NjaGkvZ2l0bGFiX3Byb29mWBSAAAAAABAA
P3Byb29mQGFyaWFkbmUuaWRodHRwczovL2dpc3QuZ2l0aHViLmNvbS9qb3NjaGkv
ZmU5Y2YzMmQwMDgyNjE5ZmM3YWUzOTRmODA5ZDlmYzgrFIAAAAAAEAAScHJvb2ZA
YXJpYWRuZS5pZGRuczpzY2hhbGFuZGEubmFtZSkUgAAAAAAQABBwcm9vZkBhcmlh
ZG5lLmlkZG5zOnNjaGFsYW5kYS5kZT0UgAAAAAAQACRwcm9vZkBhcmlhZG5lLmlk
aHR0cHM6Ly9naXRlYS5jb20vam9zY2hpL2dpdGVhX3Byb29mOBSAAAAAABAAH3By
b29mQGFyaWFkbmUuaWRodHRwczovL21hc3RvZG9uLnNvY2lhbC9Aam9zY2hpRRSA
AAAAABAALHByb29mQGFyaWFkbmUuaWRodHRwczovL3N0YWNrb3ZlcmZsb3cuY29t
L3VzZXJzLzQ5NTA1L2pvc2NoaWQUgAAAAAAQAEtwcm9vZkBhcmlhZG5lLmlkaHR0
cHM6Ly93d3cucmVkZGl0LmNvbS91c2VyL2pvc2NoaTgzL2NvbW1lbnRzL3lvM3lo
bi9rZXlveGlkZW9wZW5wZ3BfcHJvb2YvNRSAAAAAABAAHHByb29mQGFyaWFkbmUu
aWRodHRwczovL2hhY2h5ZGVybS5pby9Aam9zY2hpAAoJEBIUO+h66qMhV8cA/Aju
BP/Xs47AJtLRAeqJgMC2roWZAgs7R5Q1oDQDsXERAQC7RJbXl82YCbVZyoWAaoPf
BZyYw4hXZi0mwLu1QYtdBcLCyQQTFggDMQIbAwUJB4TOAAULCQgHAgIiAgYVCgkI
CwIEFgIDAQIeBwIXgAIZARYhBB6mxPhFJyy3XDJaZxIUO+h66qMhBQJjaC+oQBSA
AAAAABAAJ3Byb29mQGFyaWFkbmUuaWRodHRwczovL2NvZGViZXJnLm9yZy9qb3Nj
aGkvZ2l0ZWFfcHJvb2ZQFIAAAAAAEAA3cHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8v
dHdpdHRlci5jb20vam9zY2hpODMvc3RhdHVzLzE1ODkzNzU5ODczODA1NDc1ODRJ
FIAAAAAAEAAwcHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vbmV3cy55Y29tYmluYXRv
ci5jb20vdXNlcj9pZD1yZWFsX2pvc2NoaT8UgAAAAAAQACZwcm9vZkBhcmlhZG5l
LmlkaHR0cHM6Ly9naXRsYWIuY29tL2pvc2NoaS9naXRsYWJfcHJvb2ZYFIAAAAAA
EAA/cHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vZ2lzdC5naXRodWIuY29tL2pvc2No
aS9mZTljZjMyZDAwODI2MTlmYzdhZTM5NGY4MDlkOWZjOCsUgAAAAAAQABJwcm9v
ZkBhcmlhZG5lLmlkZG5zOnNjaGFsYW5kYS5uYW1lKRSAAAAAABAAEHByb29mQGFy
aWFkbmUuaWRkbnM6c2NoYWxhbmRhLmRlPRSAAAAAABAAJHByb29mQGFyaWFkbmUu
aWRodHRwczovL2dpdGVhLmNvbS9qb3NjaGkvZ2l0ZWFfcHJvb2Y4FIAAAAAAEAAf
cHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vbWFzdG9kb24uc29jaWFsL0Bqb3NjaGlF
FIAAAAAAEAAscHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vc3RhY2tvdmVyZmxvdy5j
b20vdXNlcnMvNDk1MDUvam9zY2hpZBSAAAAAABAAS3Byb29mQGFyaWFkbmUuaWRo
dHRwczovL3d3dy5yZWRkaXQuY29tL3VzZXIvam9zY2hpODMvY29tbWVudHMveW8z
eWhuL2tleW94aWRlb3BlbnBncF9wcm9vZi8ACgkQEhQ76HrqoyH1oAEA6P9MZzly
z8zPLquoiv+CKaEUuo4T9p+/seywjDXLsqwBAMEiVdFECOLNTkHVqDIvDMgbijdz
gKVHJnovzezQFv8GwsKIBBMWCALwAhsDBQkHhM4ABQsJCAcCAiICBhUKCQgLAgQW
AgMBAh4HAheAAhkBFiEEHqbE+EUnLLdcMlpnEhQ76HrqoyEFAmNoLd1kFIAAAAAA
EABLcHJvb2ZAYXJpYWRuZS5pZGh0dHBzOi8vd3d3LnJlZGRpdC5jb20vdXNlci9q
b3NjaGk4My9jb21tZW50cy95bzN5aG4va2V5b3hpZGVvcGVucGdwX3Byb29mL0UU
gAAAAAAQACxwcm9vZkBhcmlhZG5lLmlkaHR0cHM6Ly9zdGFja292ZXJmbG93LmNv
bS91c2Vycy80OTUwNS9qb3NjaGk4FIAAAAAAEAAfcHJvb2ZAYXJpYWRuZS5pZGh0
dHBzOi8vbWFzdG9kb24uc29jaWFsL0Bqb3NjaGk9FIAAAAAAEAAkcHJvb2ZAYXJp
YWRuZS5pZGh0dHBzOi8vZ2l0ZWEuY29tL2pvc2NoaS9naXRlYV9wcm9vZikUgAAA
AAAQABBwcm9vZkBhcmlhZG5lLmlkZG5zOnNjaGFsYW5kYS5kZSsUgAAAAAAQABJw
cm9vZkBhcmlhZG5lLmlkZG5zOnNjaGFsYW5kYS5uYW1lWBSAAAAAABAAP3Byb29m
QGFyaWFkbmUuaWRodHRwczovL2dpc3QuZ2l0aHViLmNvbS9qb3NjaGkvZmU5Y2Yz
MmQwMDgyNjE5ZmM3YWUzOTRmODA5ZDlmYzg/FIAAAAAAEAAmcHJvb2ZAYXJpYWRu
ZS5pZGh0dHBzOi8vZ2l0bGFiLmNvbS9qb3NjaGkvZ2l0bGFiX3Byb29mSRSAAAAA
ABAAMHByb29mQGFyaWFkbmUuaWRodHRwczovL25ld3MueWNvbWJpbmF0b3IuY29t
L3VzZXI/aWQ9cmVhbF9qb3NjaGlQFIAAAAAAEAA3cHJvb2ZAYXJpYWRuZS5pZGh0
dHBzOi8vdHdpdHRlci5jb20vam9zY2hpODMvc3RhdHVzLzE1ODkzNzU5ODczODA1
NDc1ODQACgkQEhQ76HrqoyHiXQEAxm2svWWiWxkXMlBhEJ2qKHOsL0LYoMuUl/2/
2umz2z4BALcs6jyIUZVPzNGAZIXQFMWG7OmZLRo1DVuW5WCqTXgFwpwEExYIAEQC
GwMFCQeEzgAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AWIQQepsT4RScst1wy
WmcSFDvoeuqjIQUCY2gcpQIZAQAKCRASFDvoeuqjIfizAP4g7c6yIoY90uu01RRQ
9EnSsmSethq4Fv1VcgEo+p+aHAD+J66GW6MlIC7AITqim+HRkH2DJS49Xi4VBFf1
tLmBTATCmQQTFggAQRYhBB6mxPhFJyy3XDJaZxIUO+h66qMhBQJjCi3JAhsDBQkH
hM4ABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEBIUO+h66qMhQacA/0QY
5vSxtogUlkXALGJFnqaY6CKHebjCEPL/8gUbKae7AP4vHGTh+K/nx4QIn1bfF7U3
K8LaXybvd8j54SYerpeKDM0nSm9jaGVuIFNjaGFsYW5kYSA8anNjaGFsYW5kYUBn
bWFpbC5jb20+wpkEExYIAEEWIQQepsT4RScst1wyWmcSFDvoeuqjIQUCYwouSQIb
AwUJB4TOAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRASFDvoeuqjIYsE
AQCxEKXn6h9EuP4LCAPlRJUMYG8hrzt52muXVCCXlxrFDQEAo11Ivb1zfbOEGa9C
1ySpIUilovHbzslHqassogIOsgzNKUpvY2hlbiBTY2hhbGFuZGEgPGpzY2hhbGFu
ZGFAbWFpbGJveC5vcmc+wpkEExYIAEEWIQQepsT4RScst1wyWmcSFDvoeuqjIQUC
YwouewIbAwUJB4TOAAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRASFDvo
euqjIa5KAP9MKYDMbVN/xcmaoi0h5bXvFJqeScRps056CR44nsTBngEAqo4Kw5Am
1UMe/NZ9hXzUr+GDbPpLm+eyX9ir3PV3/AjOOARjCi3JEgorBgEEAZdVAQUBAQdA
X4Li2i6eX9uz/8D1I7gNzKNY7f7KBnD6rdOKe5o9V3MDAQgHwn4EGBYIACYWIQQe
psT4RScst1wyWmcSFDvoeuqjIQUCYwotyQIbDAUJB4TOAAAKCRASFDvoeuqjIcQ4
AP4h+ALfy7kLes+Y3gDE7lKQZFvMZgwrpeWRg5YiyHUrVQD+LziDV61K7ttbIsAX
Skks5Gh6z7rT7HQNzp+Uiy8XpQI=
=Bv0g
-----END PGP PUBLIC KEY BLOCK-----