DO NOT CREATE AN ISSUE to report a security problem. Instead, please send me an email
The security point of contact is myself, C.J. May. I respond to security incident reports as fast as possible, within three business days at the latest.
In case a vulnerability is discovered or reported, I will follow the following process to validate, respond, and remediate:
The first step is to find out the root cause, nature and scope of the vulnerability.
- Prove that the vulnerability can be exploited.
- Find out knows about the vulnerability and who is affected.
- Find out what data was potentially exposed.
After the initial assessment and containment to my best abilities, I will document all actions taken in a response plan.
I will create a GitHub Security Advisory in this repository to inform users about the incident and what I actions I took to contain it.
Once the vulnerability is confirmed to be resolved, I will summarize the lessons learned from the incident and create a list of actions I will take to prevent it from happening again.