If you have found a vulnerability in software that I've developed or in one of my websites, please contact me as soon as possible using the resources you'll find at https://www.avm99963.com/.well-known/security.txt. In particular, please encrypt your message using my public PGP key (I use [gnupg](https://gnupg.org/)), or contact me so we can find a secure way of transmitting the vulnerability details.
I ask you to please keep the vulnerability information private between us until the vulnerability has been fixed. As I want to hold myself to the same standards I hold others [when I report vulnerabilities to them](https://vulnz.avm99963.com/w/lifecycle), I accept that the vulnerability details may be published 90 days after I receive your report, even if I don't fix the vulnerability.
I believe vulnerability details should always become public because everyone has the right to know about them and protect against them, although if there isn't evidence that a vulnerability is being actively exploited, in my opinion it's better to keep them private until either the vulnerability is fixed and the fix widely distributed, or the deadline has elapsed.