Security Policy

If you have discovered a security vulnerability in this project, please report it privately. Do not disclose it as a public issue. This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.

You may submit the report in the following ways:

• Github users can privately report security advisories directly here (opens new window)

• Send an email to inquiries+two.js@jono.fyi.

Please provide the following information in your report:

• The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

This project is maintained by volunteers on a reasonable-effort basis. As such, we ask that you give us 90 days to work on a fix before public exposure.

---

Two.js conforms to this Incident Response Plan (opens new window) in moments of security risks.