Please do NOT open a public issue to report a security vulnerability.
Instead, use GitHub's private vulnerability reporting to submit your report directly. This keeps the details confidential while we work on a fix.
If the vulnerability is in a specific repository (e.g. zaparoo-app, go-pn532), please report it through that repository's Security tab → "Report a vulnerability" instead.
- Steps to reproduce the vulnerability
- Affected version(s) and platform(s)
- Impact assessment (what an attacker could achieve)
- Any proof-of-concept code, if available
We accept vulnerability reports for the latest stable release and the current development branch (main). Older releases are not supported with security patches — users should update to the latest version.
- Acknowledgement: within 3 business days
- Initial assessment: within 7 business days
- Fix or mitigation: depends on severity, but we aim for 30 days for critical issues
We follow coordinated disclosure. Once a fix is available, we will:
- Release a patched version
- Publish a GitHub Security Advisory with full details
- Credit the reporter (unless they prefer to remain anonymous)
We ask that reporters do not disclose the vulnerability publicly until a fix has been released. If you have not received a response within 14 days, you may follow up on your original report.