Our responsibility is to provide the best security advisory and highest level of transparency regarding security issues that we possibly can. We care about security and are prepared to go above and beyond to ensure that, by no means of our actions, are any held victim to cyber threats.
Our nominal process for disclosure of security issues is as follows:
- A security issue is identified
a. The issue may have been discovered by our security team
b. The issue may have been discovered and reported via the facility we have made available to notify us of security issues privately at [email protected].
- The security issue is disclosed to those affected
a. If the security issue is deemed low risk or related to documentation, an issue may be raised directly and publicly. These issues are available for anyone to view, browse or contribute against under the label "Security" on the Issue Tracker.
b. If the security issue is deemed moderate or higher risk, the issue will be addressed internally or we will reach out to trusted contributers to have the issue addressed within 60 days. Once the issue has been fixed or if the issue has not been fixed within 60 days, we will issue a security advisory via GitHub. If you wish to be advised by email immediately when a security issue is raised, please let us know by sending an email to [email protected] and we will place you on the security mailing list.
As a user or security researcher, you have the responsibility to help us enforce this security policy by following the process of responsible disclosure, allowing us to manage security issues within the time period that we have allocated and hence mitigate damage. Your support of this arrangement is highly appreciated.