| Version | Supported |
|---|---|
| 1.x | ✅ Yes |
Please do not open a public GitHub issue for security vulnerabilities.
If you discover a security issue, report it privately by emailing:
Include in your report:
- A description of the vulnerability
- Steps to reproduce it
- The potential impact
- Any suggested fix (optional)
| Action | Timeframe |
|---|---|
| Acknowledgement of your report | Within 48 hours |
| Confirmation of the vulnerability | Within 5 business days |
| Patch release for critical issues | Within 7 days |
You will be credited in the release notes (unless you prefer to remain anonymous).
In scope:
- Authentication bypass or privilege escalation
- SQL injection or other injection attacks
- Exposure of other users' data
- JWT secret or credential leakage
Out of scope:
- UI/UX cosmetic issues
- Bugs that require physical access to a user's device
- Issues in third-party dependencies (report those upstream)
Once a fix is released, we will publish a summary of the vulnerability and credit the reporter. We ask that you give us a reasonable time to patch before any public disclosure.