Please do not report security vulnerabilities through public GitHub issues. Instead, please report them via an email to info@nvaccess.org.
You should receive an acknowledgement email response within 3 business days. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue. This information will help us triage your report more quickly.
- Type of issue (e.g. denial of service, privilege escalation, etc.)
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including what an attacker can achieve by exploiting the issue
- Potential workarounds to mitigate the issue
- Indicators of compromise caused by the issue
- If there is a known solution or approach to fixing this issue
Examples of handled security issues in NVDA can be found in the NVDA GitHub Security Advisories page.