I take the security of my software and services seriously. This includes all open source software I create, maintain or help to maintain.
If you believe you have found a security vulnerability in any repository I maintain, including this one, please report it responsible to me as described below.
Please DO NOT report security vulnerabilities publicly!
So... DO NOT create a GitHub issue for it ;)
Privately and confidently, send me a detailed description of the vulnerability you have discovered using an encrypted and authenticated channel. Personally, I prefer this to be done using PGP encrypted email. Contact information needed for this is listed down below.
In the report, please include as much information as possible, including:
- An extensive description of the vulnerability.
- How it could be exploited.
- The potential impact you think it would have (e.g., DOS attackable, privacy concerns, leaking of credentials).
- Steps for reproducing the vulnerability.
- Code (if any), that is needed for reproducing the issue.
- If you have an idea for a fix, patch or any other adjustment for mitigating the vulnerability reported.
Sorry for the long list, but providing as much information as possible allows me to act more quickly. Make sure to write your report in the English language.
Please take care not to violate the privacy of other people in your report. For example, stack traces or exploit scripts sent to me should never contain private or personally identifiable information.
Give me at least a week to investigate and respond to the reported vulnerability you have found; and up to 60 days to fix and distribute it. This includes a window for existing users to upgrade, patch or mitigate the issue as well.
If you intent, at any point, to disclose the vulnerability to someone else or maybe even publicly, please give me a reasonable advanced notice.
If any dependent projects are involved, I will take care of informing the maintainers of those projects as well.
Unfortunately, I cannot offer a paid bug bounty program. I will, however, give my best efforts to show appreciation towards people that took the time and effort to disclose vulnerabilities responsibly.
Me, and the open source community, will be forever grateful.
Oh, and if we ever meet, I'm happy to buy you a beer :)
Please contact me, Levente Farkas, directly on:
GPG Fingerprint: 237A 7BCA 3B60 576F 2054 8FDB B12B 9413 A185 F15C
https://keys.openpgp.org/search?q=237A7BCA3B60576F20548FDBB12B9413A185F15C
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGiBEBgJ4oRBADZOOFIPp9t/XUU/PsxjIg52v7MTfWsgz6D4tXVA3yP59qslvt8
IOZHslaWzgmKhH9VtaEphWFdzMNaa4XBFliu9TK3RbI4t3CO4h30CvDDTvFMVygz
NBVMhyagV5TWW1PHm32hWtsiHTWTQLejb7ngnhVN03GGhMxost121G5DAwCg6nE8
JpHIl4qZdKh6rjboeI2egPsD/iCDBXnMeVKWSSOX0XrsY5sK80Al+q82hSyBF0v2
LWxhBqqZXwOTFbJbMbmVRtuJTcjl2caJH9vZ2puosbqkaHy/Xs5X13TATbRaeHPE
Nvj2ZPNDpNiBPQp8aTf35EPe3LcSI5cJvkijulN8fmrKh7FabG6vtFE8DKgKEsvI
kwRgA/9yRdSXNPljDVvBoHsT2V8ipXqEjBjG7FoLTWxBJOwbrEqm+PzVnfRV6YGa
Tt/fAQXtaZBZAXLud/7+BNEnM0BllrhdAMRlPEKiVqonDrRaffreaiPRlvNhH6aN
JTlhYeKaQRxFkY1zyHdql4nGytVHdIyeflf34THk3BUsljcPK4hgBCARAgAgFiEE
dgbihJLlGSYttbKJqdWjm4L9Eg0FAmP9ErYCHQEACgkQqdWjm4L9Eg0HSQCfZBdT
u2wIqzh0Hg4MmBCtWVzQSaEAn34JLM+KHpjRtBK20qAQp1qe/gjitCRMZXZlbnRl
IEZhcmthcyA8bGZhcmthc0BsZmFya2FzLm9yZz6IawQQEQIAKwUCU0fmpAWDAeKF
AB4aaHR0cDovL3d3dy5jYWNlcnQub3JnL2Nwcy5waHAACgkQ0rsNAWXQ/Vgy2QCc
CUq6Pk+p9HqGtd2zOlpqaNGWnpMAnjFWroSX86ggY6seuYH9zJgi0DIbiF4EExEC
AB4FAkBgJ4oCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQqdWjm4L9Eg0nxQCg
hiXykDUWbTTigscITnjqkVoZK60An2NJ4md5VhGr8LjnZGd2QMrjUcbvuQENBEBg
J4sQBADe8Fmk1UEcQmM94OIu35vv6H3/g6KoRt2H6cMog9Tj+m0SmZBxzE62F15o
4gZrK8hg//Hkd+5Qle+O3bMBG1Cqie+rwKrIZh5+vR5fUSF1jX1ePqVzoBHLPldI
qVMOZMjHoF77AnTRUMkXm5NxlBos68UjT07L/2QARol1e/AMywADBgP/fMjB0oka
K3ksGLAq2szkIgtlPrqHNhdD6sHfZflaRBWpIIoN3uTLSzyEGw3o4tIdrynOKr8h
Fbn5ZrvXWeYXOjSMGE7eLzLA2EYyTggGWKx0KTuYHNyfxcpDvVJzfCTKR/5wwKyo
GG2kddW0ICHVrSCao1ZT6kCI36q0gyBzv6OISQQYEQIACQUCQGAniwIbDAAKCRCp
1aObgv0SDbBrAJ9dLODHWWw0yBMbRCXEL8IqcaiK0QCgsVH/Snd8h48A2qRIF8mA
dQZesS6YMwRj/RVZFgkrBgEEAdpHDwEBB0Bm80iJucuoCDjVsBrt/NOwAommWPkf
GlmR69ulHzeEH7QkTGV2ZW50ZSBGYXJrYXMgPGxmYXJrYXNAbGZhcmthcy5vcmc+
iJMEExYKADsWIQQjenvKO2BXbyBUj9uxK5QToYXxXAUCY/0VWQIbAwULCQgHAgIi
AgYVCgkICwIEFgIDAQIeBwIXgAAKCRCxK5QToYXxXI7yAP9FVMEaDbknmUxVhDDo
9tSwGP1JSzISycpA1tPNv4C5eAD8Cmz7kciniFmmAjPDHIlHDOxUXCchI2jpluo2
alQVfQ64OARj/RVZEgorBgEEAZdVAQUBAQdAge9Jj29/to5UKqFOailMYfS+2/qp
o8i3z+r+BdrO1RkDAQgHiHgEGBYKACAWIQQjenvKO2BXbyBUj9uxK5QToYXxXAUC
Y/0VWQIbDAAKCRCxK5QToYXxXCe0AQDfqJCCf6ZQjs3vibnJ+GReWk/V3SBz8hfA
yZAn5gUmEAD/eTNOnoNJ5t4xCI+kuXQCSgDxNjr28hL6VFgaCB3gcww=
=rOwz
-----END PGP PUBLIC KEY BLOCK-----