Please report security issues privately using GitHub’s Report a vulnerability form on this repository (Security tab).
Do not file public GitHub issues for security problems.
When reporting, please include:
- Affected project/repo and version(s)
- Impact and component(s) involved
- Reproduction steps or PoC (if available)
- Your contact and preferred credit name
If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at [email protected].
If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.
We follow coordinated vulnerability disclosure:
- We will acknowledge your report, assess impact, and work on a fix.
- We aim to provide status updates at reasonable intervals until resolution.
- We will publish a security advisory (and CVE via the OpenJS CNA when applicable) once a fix or mitigation is available. We credit reporters by default unless you request otherwise.