This security policy applies to any vulnerabilities. Thank you for taking the time and effort to report security vulnerabilities. There is no monetary rewards for vulnerability disclosures in this repository.
If you believe you have found a security vulnerability, please submit your report to: [email protected]
In your report please include:
-
In email subject line enter in all caps; - SECURITY INCIDENT - ACTION REQUESTED -
-
A brief description of the type of vulnerability.
-
Steps to reproduce. These steps should be benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately.
After you have submitted your report, we will aim to triage your report within 10 working days.
Priority for remediation is assessed by looking at the impact, severity, and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation. You may be invited to confirm that the solution covers the vulnerability adequately.
You must NOT:
-
Break any applicable law or regulations.
-
Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
-
Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with your best practices.
-
Communicate any vulnerabilities or associated details other than by means described in this policy.
-
Perform social engineering or phishing attacks.
-
Demand financial compensation in order to disclose any vulnerabilities.