Draft a new security advisory online, or report security issues to [email protected] (PGP public key if relevant).

Include:

• Which AI tool was used
• Whether you are yourself a user of FreshRSS

Recommendations:

• Check duplicates in existing public PRs, issues, discussions, documentation
• Consider submitting a public PR if the vulnerability was mostly found by a public AI

Inspiration from https://lkml.org/lkml/2026/5/17/896:

AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved - and only makes that duplication worse because the reporters can't even see each other's reports.