As an open-source project, we encourage you to explore the source code and report (or fix) any security issues you find. We take security very seriously, and we will do our best to respond to any issues as quickly as possible.
When testing vulnerabilities, we ask that you do so against a local instance of the project, and not against the live production project. If it is not possible to test against a local instance, for example due to it being a production-only configuration issue, please contact us and we will do our best to assist you.
If you find a security vulnerability, please report it via DigitalOcean's bug bounty program: https://app.intigriti.com/programs/digitalocean/digitalocean