We take security vulnerabilities seriously and appreciate your efforts to responsibly disclose any issues you find.

Please DO NOT create public GitHub issues for security vulnerabilities.

Instead, please report security vulnerabilities by emailing: [email protected]

When reporting a vulnerability, please include:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Suggested fix (if available)
• Your contact information for follow-up

• Initial Response: We will acknowledge receipt of your report within 48 hours
• Assessment: We will provide an initial assessment within 5 business days
• Updates: We will send progress updates every 7 days until resolution
• Resolution: We aim to resolve critical vulnerabilities within 30 days
• Credit: We will acknowledge your contribution in our security advisories (unless you prefer to remain anonymous)

• Day 0: Vulnerability reported
• Day 1-2: Initial acknowledgment
• Day 1-5: Initial triage and impact assessment
• Day 1-30: Development and testing of fix
• Day 30+: Public disclosure after the fix is deployed, typically within 90 days of the initial report.

We classify vulnerabilities using the following criteria:

• Critical: Immediate threat to user data or system integrity
• High: Significant security impact with broad user exposure
• Medium: Moderate security impact with limited exposure
• Low: Minor security issues with minimal impact

When contributing to this project:

• Keep dependencies up to date
• Follow secure coding practices
• Validate all user inputs
• Use proper authentication and authorization
• Implement logging for security events
• Regular security testing is encouraged

This security policy applies to:

• The main application code
• Official Docker images
• Documentation that could affect security
• Dependencies we directly maintain

The following are generally not considered security vulnerabilities:

• Issues in third-party dependencies (please report to the respective maintainers)
• Social engineering attacks
• Physical security issues
• Denial of service through resource exhaustion without amplification

We support safe harbor for security researchers who:

• Make a good faith effort to avoid privacy violations and service disruption
• Only interact with accounts you own or with explicit permission
• Do not access or modify other users' data
• Report vulnerabilities promptly
• Do not publicly disclose vulnerabilities before they are resolved

For any questions about this security policy, please contact: [email protected]

This security policy is subject to change. Please check back regularly for updates.