Please use the following table to understand which versions are currently supported with security updates.
| Version | Support Status |
|---|---|
| v0.8.x | Supported |
| < v0.8.0 | Not Supported |
We take security issues very seriously. If you discover a security vulnerability, please follow these steps to report it:
Please do not report security vulnerabilities in public GitHub issues.
Instead, please report privately through the following methods:
- GitHub Security Advisory (Recommended)
- Go to the project's "Security" tab
- Click "Report a vulnerability"
- Fill out the security advisory form
Please include the following information in your report:
- Vulnerability Type: Briefly describe the nature of the vulnerability
- Impact Scope: Affected components, versions, or features
- Reproduction Steps: Detailed steps on how to reproduce the vulnerability
- Proof of Concept: If possible, provide PoC code or screenshots
- Impact Assessment: Potential security impact and risk level
- Suggested Fix: If you have fix suggestions, please provide them
We commit to responding to security reports according to the following timeline:
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 72 hours
- Detailed Analysis: Within 7 business days
- Fix Release: 1-30 days depending on severity
We use the following criteria to assess vulnerability severity:
- Remote Code Execution
- Authentication bypass
- Unauthorized access to sensitive data
- Cross-Site Scripting (XSS)
- Privilege escalation
- Sensitive data exposure
- Information disclosure
- Denial of Service (DoS)
- Weak cryptography
- Configuration issues
- Information gathering vulnerabilities
- Report Reception: We receive your report and acknowledge it
- Vulnerability Verification: Our security team verifies the vulnerability's existence and impact
- Impact Assessment: Assess vulnerability severity and impact scope
- Fix Development: Develop and test fix solutions
- Coordinated Release: Coordinate disclosure timing with reporter
- Public Disclosure: Release security updates and announcements
We follow responsible disclosure principles:
- We will publicly disclose after fixing the vulnerability
- Please do not publicly discuss the vulnerability before the fix is released
- We will appropriately thank reporters in security announcements (unless you prefer to remain anonymous)
To receive security update notifications, please:
- Watch this Repository and enable security alerts
- Subscribe to Releases to get new version notifications
When using this project, we recommend following these security best practices:
- Always use the latest supported version
- Regularly update dependencies
- Enable appropriate logging and monitoring
- Implement the principle of least privilege
- Conduct regular security audits
This security policy applies to:
- All code in this GitHub repository
- Official releases
This security policy does NOT apply to:
- Third-party plugins or extensions
- User configuration errors
We thank the following researchers for their contributions to project security:
Note: This security policy may be updated regularly. Please check the latest version periodically.
Last Updated: March 2026