Do not open a public issue. Use one of the following private channels:
- Preferred — open a GitHub Security Advisory directly on the affected repository.
- Fallback — email the maintainer alias (resolved via the noreply forwarder on the GitHub profile).
You will get an acknowledgement within 72 hours and a remediation timeline within 7 days.
| Branch | Status |
|---|---|
main |
Security fixes accepted |
| Previous SemVer minor | Best-effort patches for the most recent release line |
| Older | Out of support |
In scope :
- Code published under the
aphrody-code/*namespace - Supply-chain compromise of declared dependencies
- Credential / token leakage in repository content
Out of scope :
- Self-hosted infrastructure (VPS) — report directly to the operator
- Third-party services consumed via API
- Issues already public on the upstream of a fork
Coordinated disclosure preferred. We will credit reporters in the release notes unless requested otherwise.