The following table outlines which versions of OpenOTP are currently supported with security updates:
| Version | Supported |
|---|---|
| latest | ✅ Yes |
| older | ❌ No |
If you discover a security vulnerability in OpenOTP:
- Do not open a public issue.
- Instead, create a private report on github, or email: [email protected]
- Include as much detail as possible, including:
- Steps to reproduce
- Affected platform(s)
- Potential impact
- Suggested fix (if any)
This policy covers:
- Vulnerabilities in OpenOTP's codebase (Flutter UI, storage handling, OTP parsing)
- Weaknesses in the cryptographic handling of TOTP/HOTP secrets
- Leaks or unsafe storage of sensitive user data
Out of scope:
- Issues in third-party packages used by OpenOTP (unless exploitable through OpenOTP)
- Social engineering or phishing attacks
- Vulnerabilities requiring root/admin access
We appreciate responsible disclosures and will credit contributors who responsibly report issues, if desired.
Thank you for helping make OpenOTP safer for everyone.