Anytime an individual discovers a security flaw, there are certain steps that should be taken to ensure that the details of the flaw are disclosed in a responsible and acceptable manner. Reporting a flaw in open source software poses a number of unique challenges compared to the closed source counterparts.

This document should not be seen as a set of rules, but rather a set of best practices designed to help inform and guide the projects, researchers, and developers.

How a flaw should be dealt with can be broken into two distinct groups:

• Researchers
• Projects

( The Content in whattodo should be merged into these pages)