We aim to maintain the latest release line of this project. If you use an older version, please consider upgrading to receive security fixes.

Please report security issues privately and avoid opening public issues with exploitable details.

• Preferred contact: [email protected]
• For non-sensitive/general bugs, use the issue tracker: https://github.com/addon-stack/browser/issues

When reporting, please include (if possible):

• Affected version(s) and package name (adnbn) and how you installed it
• Environment details (OS, Node.js version, browser/runtime, relevant configs)
• Steps to reproduce and a minimal proof of concept (PoC)
• Impact assessment (what an attacker can do and likely severity)

We will acknowledge your report within 72 hours and keep you informed as we triage and address the issue.

We follow coordinated disclosure practices:

• We collaborate with you to verify the issue and determine the fix.
• A fix will be released as soon as feasible, depending on severity and complexity.
• After a fix is available, we will publish release notes describing the impact and mitigation.
• Please refrain from public disclosure until a fix has been released or we agree on a timeline together.

We are happy to acknowledge reporters in release notes (unless you prefer to remain anonymous). If you would like a specific name or handle to be used, let us know.

• CVE assignment may be considered on a case-by-case basis.
• We do not operate a bug bounty program at this time.

This policy covers the code and packages maintained in this repository. Issues in third-party dependencies should be reported upstream to their maintainers when appropriate.