If you believe you have found a legitimate security vulnerability, please report it.

There is no bounty program, and there are no payments for discovering/reporting security vulnerabilities, but we all benefit from software that is more secure. Happy to provide public thanks once the issue has been resolved.

What I need is:

• An explanation of the bug.
• A minimum viable reproduction case which triggers the issue.
• What you expected to happen.
• What actually happened.
• [OPTIONAL] A suggested patch attached as a .diff file, if you have one.

I don't check my email every day, and I get LOTS of email. It may take me up to a week to discover your message. I will respond as soon as I see your message and confirm that I can reproduce the issue.

Thank you for participating in the responsible disclosure of security vulnerabilities.