All Pallets projects share the same security policy. See https://palletsprojects.com/security, the canonical location for the policy, which this is copied from.
There are some things we generally do not consider security issues, which can be found at the canonical policy page: https://palletsprojects.com/security. Please review the list before reporting an issue. You may still err on the side of caution and make a private report first, but we may close it or ask you to report a regular issue instead.
If you believe you have identified a security issue with a Pallets or Pallets-Eco project, do not open a public issue. To responsibly report a security issue, use GitHub's security advisory system. From the project's repository, click "Security" at the top, then click "Advisories" at the left, then click the green "New draft security advisory" button. Alternatively, you may email security@palletsprojects.com, and we will convert that to a GitHub security advisory.
Be sure to include as much detail as necessary in your report. As with reporting normal issues, a minimal reproducible example will help the maintainers address the issue faster. Information about why the issue is a security issue is also helpful. If you are able, you may also provide a fix for the issue.
A maintainer will reply acknowledging the report and how to continue. We will obtain a CVE id as well, please do not do this on your own. We will work with you to attempt to understand the issue and decide on its validity. Maintainers are volunteers working in their free time, and therefore cannot guarantee any specific timeline. Please be patient during this process.
The current feature release will receive security fixes. A backport to the previous feature branch may be considered upon request based on usage information and severity, but is not guaranteed.