The following restrictions apply for versions that are still supported in terms of security and bug fixes:

• ❔ Must be using the latest major/minor version.
• ❔ Must be using a supported platform for the repository (e.g. VSCode, etc.), and that platform must be within its supported versions (for example: don't use an old version of VSCode, make sure to stay up to date).
• ❔ Repository must not be archived (unless the vulnerability is critical, and the repository moderately popular).
• ✔️ If one of the above doesn't apply to you, feel free to submit an issue and we can discuss the issue/vulnerability further.

Best method of contact:

• 📧 Email: report@data-g.one

If you feel that this disclosure doesn't include a critical vulnerability and there is no sensitive information in the disclosure, you don't have to use the GPG key. For all other situations, please use it.

• 🔕 We expect you to not share this information with others, unless:
  • The maximum timeline for initial response has been exceeded (shown below).
  • The maximum resolution time has been exceeded (shown below).
• 🔎 We expect you to responsibly investigate this vulnerability -- please do not utilize the vulnerability beyond the initial findings.
• ⏱️ Initial response within 7 days.
• ⏱️ Resolution time will depends on the severity of the disclosure.
  • If the vulnerability is very low/low in terms of risk, the above timelines will not apply.
  • If you want to contribute in the resolution, see CONTRIBUTING.md on how to do it.
• 🧰 Before the release of resolved versions, a GitHub Security Advisory will be released on the respective repository. Browser all advisories here.