GitHub takes the security of our software products and services seriously, including the open source code repositories managed through our GitHub organizations, such as GitHub.

If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways.

Dependabot is in scope for the GitHub Bug Bounty Program. If you would like your finding to be considered for a bounty reward, please submit the vulnerability to us through HackerOne in order to be eligible to receive a bounty award.

If you do not wish to be considered for a bounty reward, please report the issue to us directly using private vulnerability reporting.

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Thanks for helping make GitHub safe for everyone.