We acknowledge that every line of code that we write may potentially contain security issues. We are trying to deal with it responsibly and provide patches as quickly as possible.
We host our bug bounty program on HackerOne, it is currently private, therefore if you would like to report a vulnerability and get rewarded for it, please ask to join our program by filling this form:
https://zeng.page.link/open-source-report-vulnerability
You can also send you report via this form if your do not want to join our bug bounty program and just want to report a vulnerability or security issue.
In the past there were issues with the process mentioned above. If you want to report a security vulnerability and face an issue, please reach out to the team of maintainers via e-mail.