# Reporting a Vulnerability

If you believe you have found a security vulnerability, we would appreciate private disclosure
so that we can work on a fix before disclosure. Any vulnerabilities reported to us will be 
disclosed publicly either when a new version with fixes is released or 90 days has passed,
whichever comes first.

To report vulnerabilities to us privately, please e-mail `santa-team@google.com`.
If you want to encrypt your e-mail, you can use our GPG key `0x92AFE41DAB49BBB6`
available on pool.sks-keyservers.net:

`gpg --keyserver pool.sks-keyservers.net --recv-key 0x92AFE41DAB49BBB6`