Skip to content

Security: pug-sh/pug

Security

SECURITY.md

Security Policy

Supported versions

Pug is pre-1.0 and moves fast. Security fixes land on main and in the latest release; there are no long-term support branches yet. Please confirm you can reproduce an issue against the latest main before reporting.

Reporting a vulnerability

Please do not report security vulnerabilities through public GitHub issues, Discord, or any other public channel.

Report privately via one of:

  1. GitHub private vulnerability reporting (preferred) — on the repository's Security tab, choose Report a vulnerability. This opens a private advisory visible only to you and the maintainers.
  2. Emaildev@pug.sh.

Please include:

  • a description of the vulnerability and its impact,
  • steps to reproduce or a proof of concept,
  • the affected version or commit, and
  • any suggested remediation, if you have one.

What to expect

  • We will acknowledge your report within a few business days.
  • We will keep you updated as we investigate and work on a fix.
  • We will credit you in the advisory once a fix ships, unless you prefer to remain anonymous.

Thank you for helping keep Pug and its users safe.

There aren't any published security advisories