Security
Reporting a vulnerability, PGP, and how I disclose.
Report a vulnerability
Found a security issue in something I maintain — or want a second pair of eyes on a report? Email [email protected]. Encrypt anything sensitive with the PGP key below. I aim to acknowledge within 72 hours.
Please include enough to reproduce — affected version, a proof-of-concept input, and the observed behaviour. I'll keep you updated and credit you unless you'd rather stay anonymous.
How I disclose
When I report issues in others' projects, I follow coordinated disclosure: report privately first, work with the maintainer on a fix, and hold public details until a patch is available or a reasonable deadline (typically 90 days) has passed. One focused issue per report, with a verified root cause.
PGP
9AC7 1EDB 6E1F 1902 41DA D508 2C48 E175 8DE7 7DB6