Flight School takes security bugs in its projects seriously. We appreciate your efforts to disclose your findings responsibly, and will make every effort to acknowledge your contributions.
To report a security issue, please send an email to [email protected]. Your email will be acknowledged within one business day, and you'll receive a more detailed response to your email within 10 days indicating the next steps in handling your report.
Please use a descriptive subject line for your report email. After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix and announcement.
In addition, please include the following information along with your report:
- Your name and affiliation (if any).
- A description of the technical details of the vulnerabilities. It's important to let us know how we can reproduce your findings.
- An explanation who can exploit this vulnerability, and what they gain when doing so -- write an attack scenario. This will help us evaluate your report quickly, especially if the issue is complex.
- Whether this vulnerability public or known to third parties. If it is, please provide details.
If you believe that an existing (public) issue is security-related, please send an email to [email protected]. The email should include the issue ID and a short description of why it should be handled according to this security policy.
Once an issue is reported, Flight School follows the following disclosure process:
- When a report is received, we confirm the issue and determine its severity.
- If we know of specific third-party software or services that are affected and require mitigation before publication, those projects will be notified.
- An advisory is prepared (but not published), that details the problem and steps for mitigation.
- Wherever possible, fixes are prepared for the last minor release of the latest major release, as well as the master branch. We'll attempt to commit these fixes as soon as possible, and as close together as possible.
- Patch releases are published for all fixed released versions, and the advisory is published.
We credit reporters for identifying security issues, although we keep your name confidential if you request it.