This project is in early development. Please report vulnerabilities against the latest release and/or main.
If you discover a security vulnerability in cq, please report it responsibly by emailing security@mozilla.ai.
Do not open a public GitHub issue for security vulnerabilities.
Please include the following in your report:
- Project name and version (or commit SHA)
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Proof of concept (optional but helpful)
- We will acknowledge receipt of your report within 2 business days.
- We will provide an initial assessment within 5 business days.
- We will keep you informed of our progress as we work toward a fix.
- With your permission, we will credit you in the release notes.
We follow a coordinated disclosure approach. We ask that you do not disclose the vulnerability publicly until a fix has been confirmed and a disclosure timeline has been agreed upon. For critical issues, we aim to resolve and disclose within 30 days.
This policy applies to all cq repos and components, e.g.
Thank you for helping us keep cq secure.