Do Not Disclose Publicly: If you believe you've found a security vulnerability in a CF project, please do not post it in public places such as public issue trackers, mailing lists, or forums.

Send Directly to Project Maintainers: Send all the pertinent details to the project maintainers directly. If they have a dedicated security email, use that. If not, contact the primary maintainers.

Use Encryption: For an added layer of security, consider encrypting your message using the maintainer's PGP key if available.

Provide Details: Clearly describe the nature and potential impact of the vulnerability. If possible, include steps to reproduce or proof of concept.

Acknowledgment: Once we receive your report, the project team will acknowledge it, usually within 48 hours.

Assessment and Mitigation: The vulnerability will be analyzed, and necessary patches or mitigations will be implemented.

Credit: We respect the importance of security researchers. When the vulnerability is disclosed, we'll ensure you get proper credit unless you wish to remain anonymous.

Coordinated Disclosure: The timing of the public disclosure will be agreed upon with the reporter. Typically, it's done after a patch or mitigation strategy has been devised and shared with affected users.

Regular Updates: The team will keep the reporter updated about the progress and expected disclosure timeline.

Act in Good Faith: This community is built on trust. Please act responsibly, avoid data destruction, service disruption, and privacy violation when researching vulnerabilities.

Feedback: We're always open to feedback on this policy. If you have suggestions for improvement, feel free to share them.