Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via GitHub's private vulnerability reporting:
- Go to the repository's Security tab in the top navigation
- In the Security tab, click Report a vulnerability
- Fill out the form with details
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 24 hours
- Initial assessment: Within 48 hours
- Resolution target: Depends on severity, but as soon as possible
- Command injection vulnerabilities (e.g., via crafted snapshot names or disk labels)
- Privilege escalation through
tmutilordiskutilinteractions - Path traversal or directory traversal
- Sensitive data exposure
- Credential exposure risks
- Issues in upstream dependencies (report to them directly)
- Issues requiring physical access to the machine
- Social engineering attacks