If you believe you have found a security vulnerability in one of our maintained packages, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before making a report, please review this page to understand our security policy and how to communicate with us.

• You do not disclose security vulnerabilities publicly until we have addressed them.
• You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
• You do not exploit a security issue you discover for any reason.
• You provide detailed reports with reproducible steps and a clearly defined impact.
• You submit only one vulnerability per report.
• You do not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
• You do not engage in non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
• You do not use scanners or automated tools to find security vulnerabilities.
• You do not violate any other applicable laws or regulations.
• You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.

To report a vulnerability, please directly message @drachenpapa. All complaints will be reviewed and investigated promptly and fairly. We appreciate your efforts to disclose the issue privately and give us an opportunity to fix it before disclosing it publicly.

If you have suggestions on how this process could be improved, please submit a pull request.