Security updates are applied to the latest MINOR version of Jekyll, and the version used by GitHub Pages, v3.9.x.
Reporting a Vulnerability
Please report vulnerabilities by sending an email to firstname.lastname@example.org with the following information:
- A description of the vulnerability
- Reproduction steps and/or a sample site (share a private repo to the Jekyll Security Team)
- Your contact information
The Jekyll security team will respond to your submission and notify you whether it has been confirmed by the team. Your confidentiality is kindly requested as we work on a fix. We will provide our patch to you to test and verify that the vulnerability has been closed.
If you have created a patch and would like to submit that to us as well, we will happily consider it though we cannot guarantee that we will use it. If we use your patch, we will attribute authorship to you either as the commit author, or as a co-author.
Once a fix is verified, we will release PATCH versions of the supported MINOR versions and assign a CVE to the vulnerability. You will receive credit in our release post.
Once the patched version has been released, we will no longer request you to maintain confidentiality and you may choose to share details on how you found the vulnerability with the community.