If you discover a security vulnerability in iplayer-arr, please report it privately via GitHub's Private Vulnerability Reporting feature:

https://github.com/Will-Luck/iplayer-arr/security/advisories/new

This routes the report directly to the maintainers and keeps the vulnerability private until a fix is published.

Please do not open a public GitHub issue for security vulnerabilities. Public issues advertise the vulnerability before it can be fixed.

We aim to acknowledge security reports within 7 days and to publish fixes for confirmed vulnerabilities as quickly as is practical.

This policy covers the iplayer-arr application and the official Docker images published to GHCR (ghcr.io/will-luck/iplayer-arr) and Docker Hub (willluck/iplayer-arr). It does not cover BBC iPlayer itself or any other service iplayer-arr integrates with.

• Bugs that do not affect security (please use a regular GitHub issue)
• Issues in third-party dependencies (please report those upstream)
• Findings that require pre-existing privileged access to the host running iplayer-arr

Thank you for taking the time to report security issues responsibly.