We welcome reports from security researchers, and we'll work with you to confirm and fix any issue you find.

Please don't report security issues through public GitHub issues, pull requests or discussions. Anyone can see them, and we don't want a security issue to become public before we have fixed it. Please use one of the private channels below instead.

Our preferred channel is the bug bounty program at https://uxcam.com/bug-bounty, where you'll find our scope, rules, and how to submit a report.

If you'd rather not use the program, you're welcome to email us at security@uxcam.com. For sensitive details, you can encrypt your report with our PGP key: https://github.com/uxcamsec.gpg

Reports submitted through the bug bounty program are eligible for a reward and a place in our Hall of Fame: https://uxcam.com/bug-bounty-hall-of-fame