If you believe you have discovered a potential security issue or vulnerability in any of my projects, backend systems, or services I use, please follow these steps:
- Do not disclose the vulnerability publicly.
- Do not create a public GitHub issue, pull request, or discussion about the vulnerability.
- Email me directly at [email protected] with the subject line "Security Vulnerability Report".
An engineer from my team will be in touch with you as soon as possible.
Your report should include:
- A clear description of the issue, including steps to reproduce it.
- Any details you think would help understand the potential impact of the vulnerability.
- Information about your system, the software you are using (such as Chrome, Firefox, Safari, etc.), and how you discovered the vulnerability.
- If possible, encrypt your message with my PGP key (available upon request).
Once submitted, your report will be reviewed promptly. We will then work with you to understand more about the issue and, if verified, make all efforts to address the vulnerability promptly.
I will make my best effort to respond to your report within 48 hours and will strive to keep you informed about the progress towards a fix and full announcement.
When I receive a security bug report, I will:
- Confirm the problem and determine the affected versions.
- Audit code to find any potential similar problems.
- Prepare fixes for all still-maintained releases.
- Release new versions and update the public repository.
While I don't currently offer a formal bug bounty program, I deeply appreciate your efforts in keeping our community, users, and products safe. Rewards for significant vulnerabilities may be issued on a case-by-case basis at my discretion.
If you have suggestions on how this process could be improved, please submit a pull request or contact me directly.
Thank you for your support in responsibly disclosing any issues and helping to make my projects more secure.