Docker's general policy regarding security reports can be found on GitHub.
If you discover a security vulnerability, please bring it to Docker's attention right away!
Please DO NOT file a public issue, instead send your report privately to email@example.com.
Security reports are greatly appreciated, and Docker will publicly thank you for it. Docker also likes to send gifts—if you're into Docker branded merchandise, please let us know.
Docker currently does not offer a paid security bounty program, but we are not ruling it out in the future.