Do not open a public GitHub issue for security vulnerabilities.
Preferred reporting path:
- Use GitHub Private Vulnerability Reporting for this repository if it is enabled.
- If private reporting is not available, contact the repository owner privately through GitHub or another private channel you already use with the maintainer.
Please include:
- affected package or application
- affected version, commit, or release artifact
- impact summary
- reproduction steps or proof of concept
- any required configuration details
- logs or screenshots with secrets redacted
- initial acknowledgement target: within 5 business days
- status updates target: at least once every 10 business days while actively triaging
These are targets, not contractual SLAs.
Priority support applies to:
- the current default branch in the canonical monorepo
- the latest published first-party npm packages
- the latest desktop/TUI release artifacts
- the latest supported gateway container image and deployment docs
Out-of-date forks, old unpublished snapshots, and modified local builds may be triaged on a best-effort basis only.
Please wait for a coordinated fix or mitigation before disclosing a vulnerability publicly.
This project does not currently advertise a bug bounty program.