Please report security vulnerabilities privately — do not open a public issue or pull request for a suspected vulnerability.

Use GitHub's private vulnerability reporting: Report a vulnerability.

A helpful report includes:

• The affected component and the commit or branch you tested against
• Steps to reproduce, ideally with a proof of concept
• Your assessment of the impact (what an attacker could do)

NeoWiki is in active pre-release development and is not yet intended for production use. There are no released versions with separate maintenance branches; security fixes are applied to the latest master.

We practice coordinated disclosure. We aim to acknowledge your report within five business days, keep you informed of our progress, and credit you when a fix is published (unless you prefer to remain anonymous). We will work on a fix as quickly as the severity warrants. Please give us a reasonable opportunity to release that fix before disclosing the issue publicly.