We actively look for and address vulnerabilities in internal website code, external (outside domain) files, and files distributed by our products and communities.
DO NOT report security vulnerabilities as an issue, pull request (PR), or discussion on GitHub, Discord communities, or other online forums. Vulnerabilities should not be publicly disclosed. Please report all vulnerabilities privately at [email protected] or make a security advisory here.
Our team prioritizes fixing security vulnerabilities as soon as possible. All vulnerability patches take precedence over scheduled release dates and should be released as soon as the patch is ready. These patches should only include vulnerability fixes with no additional content. This policy is crucial as upcoming updates may consist of account-based components, making security even more vital.
Per the Reporting a Vulnerability section, all team members involved in security patches or aware of security vulnerabilities must not disclose these vulnerabilities until the agreed-upon public disclosure date/time is approved by all higher-ups/team members. Repeated violations may lead to termination from the contributor team and your volunteer/employment status with AT Products LLC.