Security Policy

Please report vulnerabilities privately via security@bugsink.com or by using the GitHub Vulnerability Reporting Feature.

Disclosure posture

We follow responsible disclosure. Please do not publish details before we’ve had a reasonable chance to investigate and ship a fix.

When you report an issue, include reproduction details where possible. We will acknowledge the report and follow up directly.

Disclosures / write-ups

• Path traversal via event_id
• Unauthenticated remote DoS via crafted Brotli input [CVE-2025-64508]
• Unauthenticated remote DoS via crafted Brotli input (CPU) [CVE-2025-64509]
• Stored XSS via Pygments fallback in stacktrace rendering [CVE-2026-27614]