Security is a core priority for this project. While no software can be entirely free of vulnerabilities, we are committed to addressing security issues promptly and transparently. We welcome reports from security researchers and users who identify potential vulnerabilities.
Security updates are provided for the following versions:
| Version | Supported |
|---|---|
| latest | ✅ |
Only the latest stable release receives security updates. Security fixes are generally not backported to older versions unless there is a significant and imminent risk to users.
If you discover a security vulnerability in this project, please report it through our GitHub Security Advisories page. This ensures that sensitive information is handled securely.
To help us address the issue efficiently, please provide:
- A detailed description of the vulnerability
- Steps to reproduce the issue
- The affected version(s)
- Any relevant technical details (stack traces, error messages, etc.)
- Potential impact assessment
- Suggested remediation (optional)
This is an open-source project maintained by volunteers. While we strive to respond promptly:
- Initial response: Within 7 business days
- Status updates: As significant progress is made
- Resolution: Based on severity and complexity
We appreciate your patience and understanding.
When reporting vulnerabilities, please:
- Avoid accessing, modifying, or deleting data that does not belong to you
- Avoid privacy violations or service disruptions
- Do not publicly disclose the vulnerability until we have addressed it
- Provide sufficient time for us to investigate and remediate the issue
We support responsible disclosure and will not pursue legal action against security researchers who:
- Act in good faith to identify and report security issues
- Avoid privacy violations, data destruction, or service degradation
- Only test against systems and accounts you own or have explicit permission to test
- Provide reasonable time for remediation before public disclosure
- Immediately cease testing and notify us if you encounter personally identifiable information (PII)
Activities conducted in accordance with this policy are considered authorized. We will make reasonable efforts to support you if legal action is initiated by a third party.
If you are uncertain whether your testing activities comply with this policy, please contact us before proceeding.
When we receive a security report:
- We confirm receipt and begin investigation
- We develop and test a fix
- We prepare a security advisory
- We release the fix and publish the advisory
- We credit the reporter (unless anonymity is requested)
We aim for coordinated disclosure, working with reporters to ensure vulnerabilities are addressed before public disclosure.
For security-related inquiries that do not involve vulnerability reports, please open a GitHub issue or contact the maintainers through the repository's communication channels.