This repository is a benchmark suite and does not ship a production service. That said, we still take security reports seriously.
- We generally accept security fixes for the current
mainbranch. - If a reported issue affects upstream .NET/runtime components, we may redirect you to the appropriate upstream security process.
Please do not open a public GitHub issue for security-sensitive reports.
Instead, report privately by using one of these options:
- GitHub Security Advisories (preferred):
- Go to the repository on GitHub → Security → Report a vulnerability.
- If advisories are not enabled yet, contact the repository owner privately.
To help us triage quickly, include:
- A clear description of the issue and impact
- Steps to reproduce or a proof-of-concept
- Affected file(s) / component(s)
- Any mitigation or suggested fix
- Environment details (OS, .NET SDK versions)
We aim to:
- Acknowledge within 3 business days
- Provide an initial assessment within 7 business days
Timelines may vary depending on complexity and whether upstream coordination is required.
We follow responsible disclosure practices. Please give us a reasonable time to investigate and address issues before public disclosure.