If you find a security issue in Garden or one of its related projects, please DO NOT submit it via the issue tracker! Instead, please follow responsible disclosure practices and send information about security issues directly to security@garden.io so that a proper assessment can be made and a fix prepared before a wide announcement. Please include a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue. You will receive an acknowledgement within 24 hours.

Even in cases where you have limited or incomplete information, or you're not sure whether or not a problem constitutes a security issue, please make contact as soon as possible. We can work together to investigate, debug, and assess.

If the issue is confirmed as a vulnerability, we will open a Security Advisory. This project follows a 90 day disclosure timeline.

You may also direct questions, feedback, or suggestions about Garden's security policy to the same email addresses.

Your help is greatly appreciated in keeping Garden code secure!