| Version | Supported |
|---|---|
| latest | ✅ |
Please do not open a public GitHub issue for security vulnerabilities.
If you discover a security vulnerability in this project, please report it responsibly:
- Email: Send a detailed report to the maintainers via a private channel (open a GitHub Security Advisory on this repository).
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You should receive an acknowledgment within 48 hours. We will work with you to understand the issue and coordinate a fix before any public disclosure.
The following are in scope:
- Authentication and authorization flaws (JWT handling, session management)
- Injection vulnerabilities (NoSQL injection, XSS, command injection)
- Sensitive data exposure (credentials, tokens, PII leaks)
- Broken access control (cross-user data access)
- Dependency vulnerabilities with a known exploit
The following are out of scope:
- Issues in third-party services (MongoDB Atlas, cloud providers)
- Denial of service via rate limiting (we acknowledge this and plan to address it)
- Self-hosted deployment misconfigurations
- We follow coordinated disclosure.
- We aim to release a fix within 14 days of confirming a vulnerability.
- Credit will be given to reporters in the release notes unless they prefer to remain anonymous.