← Benjamin Ali

Security

Reporting a vulnerability, PGP, and how I disclose.

Report a vulnerability

Found a security issue in something I maintain — or want a second pair of eyes on a report? Email [email protected]. Encrypt anything sensitive with the PGP key below. I aim to acknowledge within 72 hours.

Please include enough to reproduce — affected version, a proof-of-concept input, and the observed behaviour. I'll keep you updated and credit you unless you'd rather stay anonymous.

How I disclose

When I report issues in others' projects, I follow coordinated disclosure: report privately first, work with the maintainer on a fix, and hold public details until a patch is available or a reasonable deadline (typically 90 days) has passed. One focused issue per report, with a verified root cause.

PGP

Fingerprint 9AC7 1EDB 6E1F 1902 41DA D508 2C48 E175 8DE7 7DB6
Public key /pgp.asc
Keyserver keys.openpgp.org