In case of a vulnerability contact the maintainer of the project.

Vulnerabilities should be treated confidential during a period of at most 90 days. This finishes earlier, if there is a fix made available.

This project has private reporting enabled, follow the instructions here.

Fixed vulnerabilities are to be included in the CHANGELOG and contain also (if not otherwise requested) the name of the reporter of said vulnerability.