At Diplomatiq, security is always in primary focus. We would like to thank you for your security contributions.

1. Please email us the found vulnerability — with detailed description — to the [email protected] address. If possible, encrypt your email's contents with our PGP key (https://www.diplomatiq.org/pgp-key.txt) and sign it with yours.
2. Your email will be acknowledged within 48 hours by the Security Team.
3. You will receive a detailed response about the next steps of handling the vulnerability within total 96 hours. The Security Team will do their best to keep you informed about the progress towards fixing and publicly announcing the vulnerability, and may ask for additional input.

Security issues found in a third-party module should be reported directly to the maintainers of the affected third-party module.

After fixing the vulnerability, Diplomatiq will disclose the security vulnerability in the release notes of the affected module's subsequent release, in the Security Bulletin section.

Please report suggestions on improving this policy by opening a pull request.