Report vulnerabilities in maintained Troy repositories and packages.
Security updates target the maintained branch of the affected project. Older branches are unsupported unless a repository states otherwise.
Use GitHub private vulnerability reporting on the affected repository when available.
If private vulnerability reporting is unavailable, open a public issue asking for a private security contact. Do not include vulnerability details, proof of concept code, exploit steps, credentials, logs, or customer information in the public issue.
Include these details privately (not in the public issue):
- The affected repository.
- The affected version, branch, tag, or commit.
- A clear description of the vulnerability.
- Steps to reproduce the issue.
- The expected impact.
- Any known workarounds.
- Whether the vulnerability is public or known to others.
Expect an initial response within 7 days.
The maintainers will review the report, confirm the affected scope, and decide whether a fix, advisory, workaround, or rejection is appropriate.
Do not publish vulnerability details until a maintainer confirms that disclosure is safe.
The maintainers may publish a security advisory after a fix is available or after the affected scope is no longer exploitable.