This document outlines the default procedures suggested for SDK integrations for Godot.

SDK maintainers can override this policy with their own SECURITY.md file to further specify how they wish to receive security vulnerability reports.

If you've found a security vulnerability in Godot itself, please do not create an issue on the GitHub issue tracker as it will be visible publicly.

Instead, send an email to [email protected].

If you've found a security vulnerability in a community-maintained SDK for Godot, please review that SDK's MAINTAINERS.md file for contact details of the current maintainers, and send them a private email to disclose the vulnerability.