- Preferred: use GitHub Security Advisories on the affected repository (Security -> Advisories -> New draft).
- If Advisories are unavailable, contact the maintainers through a private channel. A dedicated security email will be published when ready.
- Please avoid public issues, pull requests, or discussions for security reports.
- Default branch and the latest release are supported.
- Older versions receive best-effort fixes; you may be asked to upgrade.
- Acknowledge within 72 hours.
- Initial assessment within 7 days.
- Coordinated disclosure target: within 90 days, adjusted by severity.
- We practice responsible disclosure and will coordinate timelines with reporters.
- 首选:在受影响仓库使用 GitHub Security Advisories(Security -> Advisories -> New draft)。
- 如无法使用 Advisories,请通过私密渠道联系维护者。专用安全邮箱将随后公布。
- 请勿在公开 Issue/PR/Discussion 中披露安全问题。
- 默认分支与最新发布版本处于支持范围。
- 旧版本为尽力支持,可能要求升级。
- 72 小时内确认收到。
- 7 天内给出初步评估。
- 协调披露目标:90 天内(按严重程度调整)。
- 遵循负责任披露,与报告者协商时间表。