The emoji-picker-react team and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
Only the latest major version receives active security updates.
| Version | Supported | Status |
|---|---|---|
| 4.x | ✅ | Active Support - Security updates & patches |
| 3.x | ❌ | End of Life |
| < 3.0 | ❌ | End of Life |
To ensure the safety of our users, please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
If you believe you have found a security vulnerability in emoji-picker-react, please report it to the maintainer directly via email:
To help us triage and prioritize your report, please include:
- Type of issue (e.g., XSS, prototype pollution, DoS).
- Full paths of source file(s) related to the manifestation of the bug.
- Proof of Concept (PoC) or clear steps to reproduce the issue.
- Impact assessment (how an attacker could exploit this).
We are committed to the following response timeline for valid security reports:
- Acknowledgment: Within 48 hours.
- Triage & Validation: Within 5 business days.
- Patch Release: Critical issues are prioritized for immediate resolution.
We follow a Coordinated Disclosure model:
- You report the vulnerability privately.
- We verify the issue and develop a fix.
- We release a patched version of the package.
- We publish a GitHub Security Advisory (GHSA) detailing the issue and crediting you (if desired).
- You are then free to publish your findings.
We consider security research to be "safe" if you:
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- Only interact with accounts you own or with explicit permission of the account holder.
- Wait until we have patched the vulnerability before disclosing it publicly.
We will not pursue legal action against researchers who follow these guidelines.