If you think that you have found a security issue in Sylius, don’t use the bug tracker and do not post it publicly. Instead, all security issues must be sent to firstname.lastname@example.org. Emails sent to this address are forwarded to the Sylius Core Team Members responsible for the framework’s security. Please do not reveal the issue publicly until the security fix is released and announced by Sylius.
We will not publish security releases during Saturday or Sunday, except for the vulnerabilities made public.