Creator and head of developer team takes the security of its software and products, services seriously, which includes all source code repositories managed through it's control, even if its organiztions.
If you believe you have found a security vulnerability in any of this product, software (definition from MIT license), please report about it as described below.
If you prefer to submit without logging in, send email to referenced in code of conduct or below or visit DEV.TO , if possible, encrypt your message with out PGP key.
Please do not report security vulnerabilities through public GITHUB issues either pull requests.
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
- type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.);
- full paths of source file(s) related to the manifestation of the issue;
- the location of the affected source code (tag/branch/commit or direct URL);
- any special configuration required to reproduce the issue;
- step-by-step instructions to reproduce the issue;
- roof-of-concept or exploit code (if possible);
- impact of the issue, including how an attacker might exploit the issue.
English language is preferred for any report about security vulnerability.
Information of this will help triage your report more quickly.
Under the principle of CVD (from coordinated vulnerability disclosure), researchers disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product; to a national CERT or other coordinator who will report to the vendor privately; or to a private service that will likewise report to the vendor privately.
Researcher allows the vendor the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public, the vendor continues to coordinate with the researcher throughout the vulnerability investigation and provides the researcher with updates on case progress.
Upon release of an update, the vendor may recognize the finder for the research and privately reporting the issue, if attacks are underway in the wild, and the vendor is still working on the update, then both the researcher and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers the aim is to provide timely and consistent guidance to customers to help them protect themselves.
For more information on CVD, please review the information provided in the following links:
Sometimes you can be asked to sign the CLA (or contributor license agreement) before sending the PR: for any code changes to be accepted, the CLA must be signed - its a quick and easy process.
- for individuals:
https://cla.developers.google.com/about/google-individual - for corporations, print, sign and scan with email, fam or mail the given form:
https://cla.developers.google.com/about/google-corporate
If you have more than one accounts, or multiple email addresses associated with a single account, you must sign the CLA using the primary email address of the GITHUB account used to author git commits and sending PRs.
Following documents can help with sorting out issues with accounts and multiple email addresses: