Security fixes are handled per repository based on active maintenance and release status.
Do not open public issues for suspected vulnerabilities.
If private reporting is enabled for the affected repository, use GitHub's private vulnerability reporting flow.
If private reporting is not available, use the maintainers' private contact path listed on the repository or organization website instead of opening a public issue.
When reporting, include:
- Affected repository and version
- Reproduction steps or proof of concept
- Impact assessment
- Any suggested remediation
We recommend acknowledging reports promptly and keeping reporters informed as fixes are prepared.