The New York Times takes security bugs in the NYTimes authored or maintained OSS seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
To report a security issue, email [email protected] with bug title as a subject line and you will get a response indicating the next steps in handing your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
If you find vulnerabilities in software, libraries or modules used by NYTimes authored or maintained OSS but written by third-party, please report the vulnerability to the person or team maintaining the code.