The Vega team and community take security bugs in Vega languages and tools seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

Please do not report security vulnerabilities through public GitHub issues.

To report a security issue privately, please use the GitHub Security Advisory "Report a Vulnerability" tab.

A Vega maintainer will send a response indicating next steps in handling your report. After the initial reply, the team will keep you informed of the progress towards a fix and announcement, and may ask for additional information or guidance.

Communications should be in English.

To learn more about security measures in Vega, see the documentation on using an expression interpreter for Content Security Policy (CSP) compliance, or loader for opening network or filesystem resources.