Please do not disclose vulnerabilities in public issues.
Use one of these private channels:
- GitHub private vulnerability reporting (preferred)
- Direct maintainer contact listed in
MAINTAINERS.md
- Initial triage response: within 72 hours
- Status update cadence: at least every 7 days while open
- Fix timeline: depends on severity and exploitability
We follow coordinated disclosure:
- Reporter submits private report.
- Maintainers reproduce and assess impact.
- Fix is prepared and validated.
- Advisory is published with mitigation guidance.
Security reports are especially relevant for:
- policy bypass or unintended fail-open behavior
- authentication/authorization descriptor handling issues
- header/query parsing ambiguity leading to enforcement gaps
- resource exhaustion in hot-path enforcement logic