If you think you have found a potential security vulnerability in Authlib, please email <firstname.lastname@example.org> directly.
Do not file a public issue.
Please do not disclose this to anyone else. We will retrieve a CVE identifier if necessary and give you full credit under whatever name or alias you provide. We will only request an identifier when we have a fix and can publish it in a release.
Here is the process when we have received a security report:
we will reply to you in 24 hours
we will confirm it in 2 days, if we can’t reproduce it, we will send emails to you for more information
we will fix the issue in 1 week after we confirm it. If we can’t fix it for the moment, we will let you know.
we will push the source code to GitHub when it has been released in PyPI for 1 week.
if necessary, we will retrieve a CVE after releasing to PyPI.