Security Policy

Please report vulnerabilities privately via security@bugsink.com or by using the GitHub Vulnerability Reporting Feature.

Disclosure posture

We follow responsible disclosure. Please do not publish details before we’ve had a reasonable chance to investigate and ship a fix.

When you report an issue, include reproduction details where possible. We will acknowledge the report and follow up directly.

Disclosures / write-ups

• Path traversal via event_id
• Unauthenticated remote DoS via crafted Brotli input [CVE-2025-64508]
• Unauthenticated remote DoS via crafted Brotli input (CPU) [CVE-2025-64509]
• Stored XSS via Pygments fallback in stacktrace rendering [CVE-2026-27614]
• Authenticated arbitrary file write in artifactbundle/assemble [CVE-2026-40162]
• SSRF bypass in validate_webhook_url