Security bugs are taken very seriously. Your efforts to responsibly disclose your findings is appreciated.

Do not open up a GitHub issue if the bug is a security vulnerability in the Action itself.

If you discover a security vulnerability, please report it to: jthegedus@hey.com

Bugs in dependent tools should be reported to their maintainers. We will update the dependency here once a patch is released.

While we do not currently participate in any bug bounty programs, we promise to acknowledge the email within 21 days and respond within 30 days of the disclosure of the potential vulnerability with it's legitimicy.

In general, public disclosures are made after the issue has been fully identified and a patch is ready to be released.