gitGost takes security seriously, particularly given its focus on privacy and anonymity. We welcome responsible vulnerability reports to maintain trust with our users.

We accept vulnerability reports responsibly. To protect your anonymity, we provide multiple channels:

• Via gitGost itself: Submit an anonymous PR to this repository reporting the vulnerability (dogfooding).
• Anonymous Email: Send an email to gitGos@proton.me (preferably encrypted if possible).

• Open an issue in this repository with the prefix [SECURITY] if you prefer public reporting.

• Clear description of the vulnerability.
• Steps to reproduce it.
• Potential impact.
• Suggested mitigations (optional).

• Acknowledgment of receipt within 7 business days.
• Status updates every 7-14 days.
• Resolution of critical vulnerabilities within 30 days.

• Do not create public issues for unconfirmed vulnerabilities.
• Avoid discussing exploit details in public.
• Do not use issues for general security inquiries.

• No legal action will be taken against good-faith reports.
• Anonymous reports may receive credit if requested (optional).
• We adhere to standards such as Responsible Disclosure.

If you have questions, contact us anonymously.

Thank you for helping keep gitGost secure.