Before reporting a vulnerability, please make sure it is in scope, for example you should report:
- Server vulnerabilities that may escalate user privileges or allow exfiltration of data.
- Client vulnerabilities that allow remote code execution or allow exfiltration of data.
You should not report anything that requires physical access to a client machine to achieve, such as:
- Intercepting requests to visually affect client privilege (and not actual server privilege)
- Exfiltration of user credentials through third party sites
You may disclose security vulnerabilities to us in two different ways:
- 
Create a draft security advisory on the appropriate GitHub repository on our organisation. You can select the "Security" tab once on the repository then fill out the details as appropriate. 
- 
Email us at [email protected] to open a new ticket. You should receive a response within the next couple of days. 
In general, please always provide:
- The type of issue at hand
- The name of the relevant project(s) affected
- Reproduction steps
- Reference to any relevant source file(s) that you may suspect are causing the issue (if you can)
- Any extra information about your configuration
- Description of potential ways this can be exploited, if you can list any
- Any version information (e.g. commit hash for web client, API version, etc)
Thank you for helping Stoat!