To report a vulnerability, please email [email protected]. Please do not expose the vulnerability in public, which includes creating a GitHub issue. You should expect an acknowledgement within one week. If you do not, please message @knjk04 privately on Gitter.
When we receive a security vulnerability report, we will prioritise these above all else. If we accept the vulnerability, you should expect to receive weekly reports if you are happy to receive them. If we reject the security vulnerability, we will tell you why.
As this is a volunteer effort that we are working on in our spare time amidst busy lives, we cannot comment on how soon we will be able to fix a vulnerability by. However, we will do our best to fix them as soon as possible.