Only the latest release of each component (server, extension) is supported with security updates.
Please report security vulnerabilities via GitHub Security Advisory ("Security" tab → "Report a vulnerability") or by contacting the repository maintainer directly.
Do not file public issues for security vulnerabilities.
- A clear description of the vulnerability
- Steps to reproduce (if possible, a minimal PoC)
- Affected component and version
- Any potential impact or exploit scenario
| Phase | Expected time |
|---|---|
| Acknowledgment | Within 48 hours |
| Triage & severity assessment | Within 5 business days |
| Fix timeline communicated | After triage |
We follow a coordinated disclosure process:
- A fix is prepared in a private fork
- A security advisory is published on GitHub
- A patched release is published
- The vulnerability is publicly disclosed (if appropriate)
We do not currently operate a bug bounty program.