| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take the security of our project seriously. If you believe you have found a security vulnerability, please report it to us following these guidelines:
- DO NOT create a public GitHub issue for the vulnerability
- Open a ticket with the following information:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any possible solutions you've identified
After you submit a report:
- You'll receive an acknowledgment within 48 hours
- We will investigate and provide an initial assessment within 5 business days
- We'll keep you informed about our progress
- Once the issue is resolved, we may ask for your feedback
- Initial Response: 48 hours
- Assessment: 5 business days
- Regular Updates: Every 3-5 days
- Resolution Goal: Within 30 days
- We will investigate all legitimate reports
- We will fix confirmed vulnerabilities as quickly as possible
- We will credit reporters (unless they decline) in our security advisories
- We will not take legal action against researchers who follow these guidelines
We consider security research conducted under this policy to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)
- Exempt from DMCA restrictions
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research
The following activities are prohibited:
- Testing of systems other than those explicitly mentioned
- Physical attacks against our infrastructure
- Social engineering attacks
- Denial of service attacks
- Automated vulnerability scanning
Security updates will be released through our normal release channels with appropriate documentation and changelog entries.
While conducting security research, please:
- Only test against test accounts you own
- Delete any sensitive data you may inadvertently access
- Do not access, modify, or delete other users' data
- Do not disrupt our services
- Cease testing and notify us immediately if you encounter sensitive data
This security policy is subject to change without notice. Please check back regularly for updates.