If you discover a security vulnerability in Think, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Use GitHub's private vulnerability reporting
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Resolution target: Within 30 days for critical issues
This policy applies to:
- The Think desktop application
- The Think Chrome extension
- The Think backend server
- Vulnerabilities in dependencies (report to upstream maintainers)
- Social engineering attacks
- Physical attacks
| Version | Supported |
|---|---|
| Latest | Yes |
| < Latest | No |
We recommend always using the latest version.