Use the private vulnerability-reporting system under GitHub's Security and quality tab to file a report.

Our team will try to correct any vulnerabilities reported to us. If the reported vulnerabilities are not fixed in 6 months (and you haven't been told to withhold information from the public) or the problem has been resolved, you may disclose the issue publicly.

Addons whose filenames follow the pattern of jameson-*.js are Jameson addons, meaning that they are important parts of the Jameson programming language.

Vulnerabilities in these addons are especially-dangerous, so please refrain from publishing any information about them until you are explicitly given permission, or we publish a detailed advisory.