Report a Vulnerability

If you find a bug that does not expose a security vulnerability, please report it in our public issue tracker at See the File a Bug page for details.

If, however, you find something that does look like it could be a security vulnerability, please follow this process:

Reporting Process

To report a security issue concerning Pro Custodibus, send an email to If it contains sensitive information, encrypt it with these PGP keys:

We would appreciate if you include the following in your report (if applicable):

  • Description, location (ie website URL, file paths, etc), and potential impact.

  • Steps required to reproduce (or proof-of-concept script).

  • Details of any tools used (including exact version numbers and platform info).

  • Tool or script output.

We take all reports seriously, and will respond to you within 24 hours. We expect to address most serious issues within a few days, but in some cases may ask that you delay publicly disclosing an issue for longer than that (but no longer than 1 month). If we ask for a delay, we will keep you updated on our progress every few days, and let you know as soon as it has been addressed.