Only the latest production release of Phanpy receives security updates. Always update to the newest production version for the best protection.
Please don’t discuss security issues in public GitHub issues. Instead:
- GitHub Private Reporting (preferred):
- Click "Report a vulnerability" under the Security tab.
 
- Email:
- Reach out to me directly at [email protected]
 
Include:
- Steps to reproduce the issue
- Which parts of Phanpy are affected
- How severe you think the impact could be
Heads up: I’m a solo maintainer working on Phanpy in my free time. While I take security seriously, I can’t promise enterprise-grade response times. Here’s how I’ll handle reports:
- Confirmation: I’ll acknowledge reports when possible, but this might take weeks due to limited availability.
- Fixing: Critical bugs will be prioritized, but fixes may take significant time. If it’s urgent, feel free to follow up.
- Public Disclosure: Patched vulnerabilities will be disclosed once the fix is confirmed stable and most users have updated.
- Use Phanpy with a Mastodon instance that enforces HTTPS.
- Treat OAuth tokens like passwords – don’t share them!
- Dependencies: GitHub Dependabot alerts are enabled for vulnerability monitoring.
- Code:
- Basic input sanitization to prevent XSS.
- Planned: Improvements to client-side storage security (contributions welcome!).