We take the security of AntV very seriously. If you've discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly.
To report a vulnerability, please follow these steps:
- Go to the Security tab in the relevant repository on GitHub.
- Click on the Advisories tab.
- Click on Report a vulnerability.
Alternatively, you can send an email to antsrc@service.alipay.com with a description of the issue, the steps to reproduce it, and the potential impact.
You can expect a response within 24 hours to acknowledge that we've received your report. If you don't hear back in that time, please reach out to a committer directly to confirm we received your message.
Once a committer confirms the report is valid, they will create a draft security advisory on GitHub. We'll discuss the issue with the relevant maintainers and the reporter(s) in private.
If you'd like to participate in the discussion, please provide your GitHub username so we can invite you. Otherwise, you can ask to be kept updated via email.
If we accept the vulnerability, we'll work with you to determine a timeline for developing a patch, disclosing the issue publicly, and releasing the fix.
We prioritize vulnerabilities that could compromise data confidentiality, allow privilege escalation, or affect data integrity. Availability issues such as Denial of Service (DoS) and resource exhaustion are also taken seriously.