How to report
GitHub Security Advisories
Use “Report a vulnerability” on the open-core repository. This is the preferred channel.
If GitHub advisories aren’t available to you, email security@webhook.co.
What to include
- What you found and where, with enough detail to reproduce it.
- The impact you think it has.
- Any proof-of-concept, and how you’d suggest fixing it.
What to expect
We aim to acknowledge reports within a few business days and will keep you updated on progress. Please give us a reasonable window to investigate and ship a fix before any public disclosure. We’re happy to credit reporters who want it.Please don’t run intrusive testing against production, exfiltrate data, or degrade the service
while testing — report what you find and let us reproduce it.