Do not report security vulnerabilities through public GitHub issues.

Instead, you can report them using our security page. Alternatively, you can also send them by email to security+sudo@tweedegolf.com. You can encrypt your email using GnuPG if you want. Use the GPG key with fingerprint C2E4 CAC4 B122 25DE 1C3B B1C9 289D 0820 03D0 1E95.

Include as much of the following information:

• Type of issue (e.g. buffer overflow, privilege escalation, etc).
• The location of the affected source code (tag/branch/commit or direct URL).
• Any special configuration required to reproduce the issue.
• The Linux distribution affected.
• Step-by-step instructions to reproduce the issue.
• Impact of the issue, including how an attacker might exploit the issue.

If you have found a bug that also exists in the original sudo (which, although unlikely, means it is a very serious issue), you must also follow the steps at https://www.sudo.ws/security/policy/

We prefer to receive reports in English. If necessary, we also understand Spanish, German and Dutch.

Like original sudo, we adhere to the principle of Coordinated Vulnerability Disclosure.

Security advisories will be published on GitHub and possibly through other channels.