Thank you for helping keep this project and its users safe. This document describes how to report a suspected vulnerability, which versions we support, and how we coordinate disclosure.
Please report suspected security vulnerabilities privately. Do not open a public GitHub issue for security reports.
- Email:
security@<please-edit>(placeholder — edit before merging)
We acknowledge new reports within 3 business days. We aim to triage and share a remediation plan within 14 days.
Security fixes are backported to the branches below. Older branches receive fixes only for high-severity issues on a best-effort basis.
| Version | Supported |
|---|---|
main (latest) |
Yes |
| Older revisions | Best-effort only |
Security reports are welcome for anything shipped by this repository, including:
- The application source code committed to
main. - Packaging, containers, and deployment manifests under this repo.
- Default configuration and bundled credentials/secrets in repo artifacts.
Out of scope:
- Findings about third-party dependencies that do not require a change here — please file those with the upstream project first.
- Denial-of-service that requires an attacker to already hold administrator access to the host running this software.
We prefer coordinated disclosure. Once a fix is available we publish a GitHub Security Advisory and release notes describing the impact and the upgrade path. Reporters are credited unless they request otherwise.
We will not pursue legal action against good-faith researchers who:
- Follow this policy.
- Stop at the proof-of-concept stage — do not exfiltrate data, degrade services, or pivot beyond the minimum needed to demonstrate the issue.
- Avoid data that is not their own.
Generated by OpenSec. Edit this file to match your actual process.