No technology is perfect, and Homebrew believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in Homebrew, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Scope

The following sites and applications are within scope for this program:

• The brew package manager (Homebrew/brew)

• The Homebrew/homebrew-* official taps

Scope Exclusions

The following do not constitute security vulnerabilities in Homebrew:

• brew.sh websites

• brew.sh domain SPF configuration

• security vulnerabilities in hosted web services Homebrew relies on (e.g. GitHub, Google Analytics, GitHub Pages)

• security vulnerabilities in packaged software that are present in the upstream software (although these should be reported to the upstream software)

• security vulnerabilities in software used by but not written by Homebrew

• nominal clickjacking and similar attacks against our static, GitHub Pages websites

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. Please bear in mind we're a project run entirely by volunteers in our spare time.

• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with our explicit permission.

• If it's an straightforward fix: please submit a pull request on GitHub.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service

• Spamming

• Social engineering (including phishing) of Homebrew maintainers or contributors

• Any physical attempts against Homebrew's machines

Thank you for helping keep Homebrew and our users safe!