| Version | Supported |
|---|---|
| latest | ✅ |
We support security updates for the latest release only. Older versions are not guaranteed to receive patches.
Please do not report security vulnerabilities through public GitHub issues.
To report a vulnerability, use GitHub's private vulnerability reporting feature:
- Go to the Security tab of this repository.
- Click "Report a vulnerability".
- Provide a description, reproduction steps, and any relevant details.
We aim to acknowledge reports within 5 business days and provide an initial assessment within 10 business days.
- We follow responsible disclosure practices.
- Once a fix is available, we will coordinate a disclosure timeline with the reporter.
- Credit will be given to reporters in release notes unless they prefer to remain anonymous.
The following are in scope for vulnerability reports:
- Authentication and authorization bypass
- Remote code execution
- Privilege escalation
- Data exfiltration or tenant isolation failures
- Cryptographic weaknesses in token handling or evidence integrity
- Injection vulnerabilities (SQL, command, prompt injection in agentic workflows)
- Supply-chain issues in published artifacts
The following are out of scope:
- Vulnerabilities in third-party dependencies that have already been publicly disclosed
- Denial-of-service attacks requiring significant resources
- Social engineering attacks
- Issues in development or demo environments
For non-sensitive security questions, open a discussion in the GitHub Discussions tab.