No technology is perfect, and Homebrew believes that working with skilled
security researchers across the globe is crucial in identifying weaknesses in
any technology. If you believe you've found a security issue in Homebrew, we
encourage you to notify us. We welcome working with you to resolve the issue
We pay bounties through BountyGraph
The following sites and applications are within scope for this program:
brew package manager (Homebrew/brew)
- The Homebrew/homebrew-* official taps
The following do not constitute security vulnerabilities in Homebrew:
- brew.sh, discourse.brew.sh and jenkins.brew.sh websites
- brew.sh domain SPF configuration
- security vulnerabilities in hosted web services Homebrew relies on (e.g. Discourse, GitHub, Google Analytics, GitHub Pages)
- security vulnerabilities in packaged software that are present in the upstream software (although these should be reported to the upstream software)
- security vulnerabilities in software used by but not written by Homebrew (e.g. Jenkins and plugins)
- nominal clickjacking and similar attacks against our static, GitHub Pages websites
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. Please bear in mind we're a project run entirely by volunteers in our spare time.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with our explicit permission.
- If it's an straightforward fix: please submit a pull request on GitHub.
While researching, we'd like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of Homebrew maintainers or contributors
- Any physical attempts against Homebrew's machines
Thank you for helping keep Homebrew and our users safe!
BountyGraph Payout Policy
Bounties are paid to hackers and project maintainers at the discretion of the
funding organizations and the BountyGraph team. To be eligible for a bounty,
each submission must meet BountyGraph's report