Maintainers and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
To report a security issue, please use the GitHub Security Advisory "Report a Vulnerability" tab.
Please do not report security vulnerabilities through public GitHub issues, discussions, or Discord.
Important
Automated AI-generated contributions without human review are not allowed and will be rejected. This is an open-source project maintained by volunteers. We do not have the resources to review pull requests that could have been avoided with proper human oversight. While we have no issue with contributors using AI tools as an aid, it is your responsibility as a contributor to ensure that all submissions are carefully reviewed and meet our quality standards. Submissions that appear to be unreviewed AI output will be considered low-effort and may result in a ban.
If you are using any kind of AI assistance to contribute to Seerr, it must be disclosed in the pull request.
If you are using any kind of AI assistance while contributing to Seerr, this must be disclosed in the pull request, along with the extent to which AI assistance was used (e.g. docs only vs. code generation). If security advisory responses are being generated by an AI, disclose that as well. As a small exception, trivial tab-completion doesn't need to be disclosed, so long as it is limited to single keywords or short phrases.
An example disclosure:
This security advisory was written primarily by Claude Code.
Or a more detailed disclosure:
I consulted ChatGPT to understand the codebase but the solution was fully authored manually by myself.
Failure to disclose this is first and foremost rude to the human operators on the other end of the pull request, but it also makes it difficult to determine how much scrutiny to apply to the contribution.
In a perfect world, AI assistance would produce equal or higher quality work than any human. That isn't the world we live in today, and in most cases it's generating slop. I say this despite being a fan of and using them successfully myself (with heavy supervision)!
When using AI assistance, we expect contributors to understand the code that is produced and be able to answer critical questions about it. It isn't a maintainers job to review a PR so broken that it requires significant rework to be acceptable.
Please be respectful to maintainers and disclose AI assistance.
To help us better understand and resolve the issue, please include as much of the following information as possible:
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue
We will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
- Security issues will be disclosed in a coordinated manner
- We will credit reporters in the security advisory unless anonymity is requested
- We request that you do not publicly disclose the issue until we have released a fix
If you discover a security vulnerability in a third-party dependency used by Seerr, please report it directly to the maintainers of that module. You can also notify us through our security advisory process so we can:
- Track the issue and monitor for updates
- Apply patches or workarounds if available
- Coordinate with upstream maintainers when necessary
- Communicate the impact to our users
We regularly monitor and update our dependencies to address known security vulnerabilities.
Security updates and advisories will be published on our GitHub Security Advisories page.
For general questions and support (non-security related):