If you think you have found a potential security vulnerability in Authlib, please email <email@example.com> directly.
Do not file a public issue.
Please do not disclose this to anyone else. We will retrieve a CVE identifier if necessary and give you full credit under whatever name or alias you provide. We will only request an identifier when we have a fix and can publish it in a release.
Here is the process when we have received a security report:
- we will reply to you in 24 hours
- we will confirm it in 2 days, if we can’t reproduce it, we will send emails to you for more information
- we will fix the issue in 1 week after we confirm it. If we can’t fix it for the moment, we will let you know.
- we will push the source code to GitHub when it has been released in PyPI for 1 week.
- if necessary, we will retrieve a CVE after releasing to PyPI.
No previous CVEs before version 0.5.