If you believe you have found a security vulnerability in Coral, please report it privately.
Email: security@withcoral.com
Please do not report security vulnerabilities in public GitHub issues, discussions, or pull requests.
When reporting an issue, please include as much of the following as you can:
- a description of the vulnerability
- the affected version, commit, or environment
- steps to reproduce the issue
- any relevant logs, screenshots, or proof of concept
- any suggested mitigation, if known
This policy applies to the code in this repository and official release artifacts produced from it.
If a vulnerability originates in a third-party dependency, please report it to the relevant upstream project as appropriate. We would also appreciate a report so we can assess the impact on Coral and track any required fixes or upgrades.
Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and address it.
We aim to acknowledge reports promptly and work with reporters in good faith through triage, validation, and remediation.
We are happy to credit reporters in release notes or other acknowledgements, unless you would prefer to remain anonymous.