We actively support the following versions with security updates:

We take security vulnerabilities seriously and appreciate your efforts to responsibly disclose any issues you find.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities to us in one of the following ways:

• Email: [email protected]
• GitHub Security Advisory: Use the "Report a vulnerability" button in the Security tab of this repository

When reporting a vulnerability, please include the following information:

• Description: A clear description of the vulnerability
• Steps to Reproduce: Detailed steps to reproduce the issue
• Impact: Your assessment of the potential impact
• Affected Versions: Which versions are affected
• Proof of Concept: Code, screenshots, or other evidence (if applicable)
• Suggested Fix: Any ideas for how to fix the issue (optional)

After you submit a report, here's what you can expect:

• Acknowledgment: We will acknowledge receipt of your report within 2 business days
• Initial Assessment: We will provide an initial assessment within 5 business days
• Regular Updates: We will keep you informed of our progress at least every 10 business days
• Resolution: We aim to resolve critical vulnerabilities within 30 days
• Credit: We will credit you in our security advisory (unless you prefer to remain anonymous)

• We request that you give us a reasonable amount of time to fix the issue before public disclosure
• We will work with you to determine an appropriate disclosure timeline
• We prefer coordinated disclosure and will work in good faith to address legitimate security concerns
• We may publicly acknowledge your contribution in our release notes or security advisory

For users of this project, we recommend:

• Always use the latest supported version
• Regularly update dependencies
• Follow secure configuration guidelines in our documentation
• Enable security features like authentication and encryption where applicable
• Monitor our security advisories for updates

Currently, we do not offer a formal bug bounty program, but we deeply appreciate security research and responsible disclosure. We will recognize security researchers who help us improve our security posture.

• Security vulnerabilities in supported versions/branch
• Authentication and authorization bypasses
• Data exposure or injection vulnerabilities
• Remote code execution vulnerabilities
• Cross-site scripting (XSS) and similar client-side issues
• Denial of service vulnerabilities with proof of concept

• Vulnerabilities in unsupported versions
• Issues requiring physical access to user devices
• Social engineering attacks
• Vulnerabilities in third-party dependencies (please report to the respective maintainers)
• Issues that require user interaction with malicious content
• Rate limiting issues without demonstrable impact

• Security Team: [email protected]

• OWASP Security Guidelines
• GitHub Security Best Practices
• Dependency Security Scanning