If you think you've identified a security issue in the Toolbx project, please DO NOT report the issue publicly via the GitHub issue tracker or Mastodon or Matrix. Instead, submit a private vulnerability report.

Go to the Security and quality tab on GitHub, and click Report a vulnerability to open the advisory form. You can find more information about the fields available and guidance on filling in the form here and here.

If you want to work on a fix, you can create a temporary private fork. Only the maintainers can merge changes from that private fork into the parent repository.

Please do not create a public issue.

Each report is acknowledged and analyzed by the maintainers as soon as possible.

Any vulnerability information shared with the maintainers stays within the Toolbx project and will not be disseminated to other projects unless it is necessary to get the issue fixed.

As the security issue moves from triage, to an identified fix, to release planning, the maintainers will keep the reporter updated.