Security updates are provided for the following versions:
| Version | Supported |
|---|---|
| Latest stable release | ✅ |
develop branch |
✅ |
| Older versions | ❌ |
Please report vulnerabilities through GitHub Private Vulnerability Reporting.
- Open the repository on GitHub.
- Go to the Security tab.
- Click Report a vulnerability.
Please do not open public issues for security reports.
- Affected version or commit
- Clear reproduction steps and/or PoC
- Impact assessment
- Suggested fix (if available)
- Initial acknowledgement: within 72 hours
- Triage and severity assessment: within 7 days
- Status updates: at least every 14 days until resolution
We follow coordinated disclosure:
- Keep details private until a fix is available.
- Publish an advisory and/or CVE after remediation when appropriate.
- If remediation is delayed, coordinate a disclosure timeline (target: up to 90 days).
If you act in good faith and follow this policy, we will not pursue legal action for:
- Security research intended to improve project security
- Non-destructive testing that avoids privacy violations and service disruption
Please avoid:
- Data exfiltration, persistence, or privilege abuse beyond proving impact
- Denial-of-service and large-scale automated scanning
- Any action that harms users, infrastructure, or data