SECURITY.md

All Pallets projects share the same security policy. Seehttps://palletsprojects.com/security, the canonical location for the policy,which this is copied from.

There are some things we generally do not consider security issues, which can befound at the canonical policy page:https://palletsprojects.com/security. Pleasereview the list before reporting an issue. You may still err on the side ofcaution and make a private report first, but we may close it or ask you toreport a regular issue instead.

If you believe you have identified a security issue with a Pallets orPallets-Eco project,do not open a public issue. To responsibly report asecurity issue, use GitHub'ssecurity advisory system. From theproject's repository, click "Security" at the top, then click "Advisories" atthe left, then click the green "New draft security advisory" button.Alternatively, you may emailsecurity@palletsprojects.com,and we will convert that to a GitHub security advisory.

Be sure to include as much detail as necessary in your report. As with reportingnormal issues, a minimal reproducible example will help the maintainers addressthe issue faster. Information about why the issue is a security issue is alsohelpful. If you are able, you may also provide a fix for the issue.

A maintainer will reply acknowledging the report and how to continue. We willobtain a CVE id as well, please do not do this on your own. We will work withyou to attempt to understand the issue and decide on its validity. Maintainersare volunteers working in their free time, and therefore cannot guarantee anyspecific timeline. Please be patient during this process.

The current feature release will receive security fixes. A backport to theprevious feature branch may be considered upon request based on usage informationand severity, but is not guaranteed.