Please do NOT report security vulnerabilities through public GitHub issues. Instead, use one of the following methods:
- Email: lxie@nju.edu.cn or whzhou@smail.nju.edu.cn (include "[SECURITY]" in the subject line)
- Private Advisory: GitHub Security Advisory (for GitHub users)
Include in your report:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact
- Affected versions (if known)
We will acknowledge your report within 3 business days and provide a timeline for resolution.
- Confirmation:
The security team will verify the vulnerability. - Patch Development:
A fix will be developed in a private repository branch. - Release:
Patches are released within 7 days of confirmation via: - CVE Assignment:
Critical vulnerabilities will receive a CVE identifier (if applicable).
Dayu currently commits to supporting the n-1 version minor version of the current major release; as well as the last minor version of the previous major release.
- Coordinated Disclosure:
Vulnerabilities are disclosed publicly after a patch is released. - Timeline Transparency:
Major vulnerabilities will have a public timeline in GitHub Security Advisories.
We credit security researchers who follow responsible disclosure practices. If you wish to be acknowledged, please specify your preference (name/handle or anonymous).