Please use https://g.co/vulnz to report security vulnerabilities.

This project is low-priority because it is experimental. In particular, there is no financial reward for submissions in this tier.

We use https://g.co/vulnz for our intake and triage. For valid issues we will do coordination and disclosure here on GitHub (including using a GitHub Security Advisory when necessary).

The Google Security Team will process your report within a day, and respond within a week (although it will depend on the severity of your report).