Pug is pre-1.0 and moves fast. Security fixes land on main and in the latest
release; there are no long-term support branches yet. Please confirm you can
reproduce an issue against the latest main before reporting.
Please do not report security vulnerabilities through public GitHub issues, Discord, or any other public channel.
Report privately via one of:
- GitHub private vulnerability reporting (preferred) — on the repository's Security tab, choose Report a vulnerability. This opens a private advisory visible only to you and the maintainers.
- Email — dev@pug.sh.
Please include:
- a description of the vulnerability and its impact,
- steps to reproduce or a proof of concept,
- the affected version or commit, and
- any suggested remediation, if you have one.
- We will acknowledge your report within a few business days.
- We will keep you updated as we investigate and work on a fix.
- We will credit you in the advisory once a fix ships, unless you prefer to remain anonymous.
Thank you for helping keep Pug and its users safe.