Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via GitHub's private vulnerability reporting:
- Go to the repository's Security tab (in the top navigation bar, next to Issues/Pull Requests)
- Click "Report a vulnerability" in the left sidebar under Advisories
- Fill out the form with details
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 24 hours
- Initial assessment: Within 48 hours
- Resolution target: Depends on severity, but ASAP
- Container escape vulnerabilities
- Credential exposure risks
- Command injection possibilities
- Path traversal issues
- Issues in upstream dependencies (report to them directly)
- Issues requiring physical access to the machine
- Social engineering attacks