If you believe you have identified a security issue with a Pallets project, do not open a public issue. To responsibly report a security issue, use GitHub's security advisory system. From the project's repository, click "Security" at the top, then click "Advisories" at the left, then click the green "New draft security advisory" button. Alternatively, you may email security@palletsprojects.com, and we will convert that to a GitHub security advisory.

Be sure to include as much detail as necessary in your report. As with reporting normal issues, a minimal reproducible example will help the maintainers address the issue faster. Information about why the issue is a security issue is also helpful. If you are able, you may also provide a fix for the issue. You may include a name and link if you would like to be credited for the report.

A maintainer will reply acknowledging the report and how to continue. We will obtain a CVE id as well, please do not do this on your own. We will work with you to attempt to understand the issue and decide on its validity. Maintainers are volunteers working in their free time, and therefore cannot guarantee any specific timeline. Please be patient during this process.

The current feature release will receive security fixes. Fixes to older versions may be considered based on usage information and severity, but are not guaranteed. After fixing an issue, we will make a new release.