Do not disclose suspected vulnerabilities publicly in issues, pull requests, or discussions.
If the target repository provides a documented private reporting path, use that path. If the account profile or target repository documents a private contact route, use that route before opening a public issue. If no documented private route is available, open a minimal public issue without exploit details and request a secure contact route.
- Affected repository
- Affected version, tag, or commit
- Vulnerability summary
- Impact assessment
- Reproduction conditions
- Proof of concept, if safe and necessary
- Suggested remediation, if available
Please allow reasonable time for triage and remediation before public disclosure.
This default policy is a shared fallback for repositories that do not define a repository-specific security policy.
Repositories with their own SECURITY.md or private reporting instructions should be treated as authoritative over this default.