# Security Policy

## Reporting a Vulnerability

Draft a [new security advisory](https://github.com/FreshRSS/FreshRSS/security/advisories) online,
or report security issues to <alexandre@alapetite.fr> ([PGP public key if relevant](https://alexandre.alapetite.fr/cv/pgp.asc)).

## AI-assisted security scanning

Include:
* Which AI tool was used
* Whether you are yourself a user of FreshRSS

Recommendations:
* Check duplicates in existing public PRs, issues, discussions, documentation
* Consider submitting a public PR if the vulnerability was mostly found by a public AI

Inspiration from <https://lkml.org/lkml/2026/5/17/896>:
> AI detected bugs are pretty much by definition not secret, and
> treating them on some private list is a waste of time for everybody
> involved - and only makes that duplication worse because the reporters
> can't even see each other's reports.