请优先使用 GitHub 的 Private Vulnerability Reporting 私下报告漏洞。请不要在公开 issue、pull request、Discussion、日志或社交媒体中披露漏洞细节。
报告中请尽量包含:
- 受影响的版本、平台与安装方式;
- 可复现问题的最小步骤或概念验证;
- 预期影响,以及已知的利用条件;
- 可行的缓解或修复建议(如有)。
请删除令牌、凭据、个人数据和不必要的大型数据文件。若 GitHub 没有显示私密报告表单,请不要改用公开 issue 披露细节;保留报告,或仅通过你与维护者已经建立的私密渠道联系。项目没有公布安全报告邮箱。
维护者会在私密报告中协调确认、修复与披露。在修复可用并完成协调披露前,请保持细节私密。
Please use GitHub Private Vulnerability Reporting as the preferred reporting channel. Do not disclose vulnerability details in a public issue, pull request, Discussion, log, or social-media post.
Include the affected version and platform, minimal reproduction steps or a proof of concept, the expected impact and prerequisites, and any suggested mitigation. Remove credentials, personal data, and unrelated large datasets. If the private form is unavailable, do not substitute a public report containing details; retain the report or use only a private channel you have already established with a maintainer. This project does not publish a security-reporting email address.
Please keep the report private while maintainers coordinate validation, remediation, and disclosure.