We take security reports seriously as this framework is used by a large number of HubSpot sites, and they would be at risk. We appreciate you taking the time to understand our policy.

Due to the way that HubSpot works and this framework works, the most recent version is all we can secure. We do not have a way to update a version already installed on someone's portal.

Please DM Jon McLaren directly if you find a vulnerability. We will then work toward making an update to fix the security hole.

We do not have a bounty program for this, but if sponsorships end up funding us well, we will consider giving the person reporting a tip.

Please refrain from publicly disclosing the vulnerability until we've finished the patch, publishing early puts users at greater risk due to awareness of the exploit.

We use GitHub's security advisory feature to create a private fork of the repo to fix the security hole, all discussions related to the security vulnerability are kept in the fork. Once the fix has been implemented we publish it and merge it into the main repo. We will publish a description of the vulnerability and how it can be fixed on existing websites. We will update old release notes with a note stating the version has a security vulnerability and link to the vulnerability information.