If you’ve found a vulnerability, we would like to know so we can fix it. This notice provides details for how you can let us know about vulnerabilities

Only last major version is currently being supported with security updates.

To report a (suspected) security vulnerability in package code use the Vulnerability Template in the issues section.

If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.

Report security bugs in third-party modules to the person or team maintaining the module. Use the Vulnerability Template if a dependency version update is needed to resolve the vulnerability.

When you are investigating and reporting the vulnerability, you must not:

• break the law
• access unnecessary or excessive amounts of data
• modify third-party data
• use high-intensity invasive or destructive scanning tools to find vulnerabilities
• try a denial of service - for example overwhelming a real service with a high volume of requests
• disrupt production services or systems
• tell other people about the vulnerability you have found until we have disclosed it
• social engineer, phish or physically attack any staff or infrastructure
• demand money to disclose a vulnerability

Unfortunately, we doesn't offer a paid bug bounty programme.

If you have suggestions on how this process could be improved please submit a pull request.