We take security issues with our websites and projects very seriously, but we also want our approach to security to be positive, productive and healthy — for us, for our customers and for security researchers too.

If you discover a security issue with our published open source code, or otherwise, please report it to us privately via [email protected]. You can use our GPG public key (compare it against the copy at GitHub and our site) to encrypt your message.

We will endeavour to:

  • Respond to your report with an acknowledgement within 24 hours.
  • Investigate the issue more thoroughly within 7 days.
  • Release a fix to the problem as soon as is practicable after that.
  • Provide you with full credit for highlighting the issue.

There might be occasions when we can’t meet these — they are goals, not absolute promises. For example, extraordinary circumstances might mean we’d be unable to immediately respond to your report, or we may be unable to release a fix as soon as we’d like because it may take extra time to rework legacy components which might depend on the vulnerable code. We’d ask you to be patient and work with us, and we will do our best to respond swiftly and responsibly.

In return, we would expect you to endeavour to:

  • Report the vulnerability to us privately, and not disclose details of it that might compromise users until a fix can be made available.
  • Not use the vulnerability to violate our customers’ privacy or the integrity of their data.
  • Co-operate with us, as much as is reasonable, to track down and investigate the issue. (If you can help us fix it, even better.)

From the very beginning, we want to approach the issue of security in a positive and constructive way. We look forward to co-operating with you.