I welcome security reports for my projects. The efforts and contributions from individuals who wish to help improve the security of my software are very much appreciated.

Please make initial security reports privately.

If possible please use GitHub's private vulnerability reporting system. The process is explained in the creating a repository security advisory section of GitHub's secure coding documentation. If that tool is not available to you then you may contact me via email. The best point of contact for email communication will be the email address that is associated with my commits in the git repository.

If you are unsure if an issue has security implications then reach out to me via the security reporting process anyway. I'll work with you to verify and classify the problem.

A standard 90 day disclosure window is generally acceptable to me. I will try to reply promptly to any communications sent via GitHub or email. But please remember that I am just some random dev putting code online, and life sometimes alters my priorities for a while. If your initial contact doesn't receive a reply within a week then please try again, or try via an alternate communication method.