Liveloop is pre-alpha. Only the main branch is supported. Once we reach a stable release, this section will list specific versions.

Please do not open a public issue for security problems. Email the maintainers privately (contact to be published at public launch) with:

• A description of the issue
• Steps to reproduce
• The version or commit affected
• Your assessment of impact and severity

We aim to acknowledge within 48 hours and provide an initial assessment within 7 days.

• The Liveloop hosted instance at liveloop.social (once live)
• The code in this repository
• The sandbox iframe model and its CSP policy
• Authentication, authorization, and data privacy

• Issues in third-party dependencies that are already publicly disclosed and patched upstream (please report to the upstream project)
• Social engineering attacks against maintainers or users
• Physical attacks
• Vulnerabilities in user-created artifacts that exploit the user's own choices (e.g., entering data into a clearly disclosed form) — these are content moderation issues, not platform vulnerabilities

We follow a coordinated disclosure model. Once a fix is available we credit reporters (with permission) in the release notes.

There is no formal bounty program at this stage. Genuine impactful findings will be publicly credited.