Security is the lifeblood of minibone. It's critical that if a Minibone vulnerability exists, impact is minimized.

Please refrain from reporting security vulnerabilities through public channels such as Github issues or discussions.

If you believe you've found a vulnerability, we'd appreciate if you responsibly disclose it by emailing [email protected]. Try to be as explicit and detail-oriented as possible when describing how to reproduce the issue. Providing code snippets, error messages, screenshots and other auxiliary information will go a long way in helping us prepare a fix.

We hold ourselves to a strict 30-day public disclosure policy for non-critical vulnerabilities and a 60-day policy for critical vulnerabilities to ensure sufficient uptake of a patch prior to disclosure.

With your permission, we're happy to support you by co-authoring or disseminating blog posts and other technical material to educate and warn users of Minibone.