MatrixHub provides security fixes for maintained release branches. Versions that are end-of-life (EOL) do not receive security updates.
| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous minor release | Best effort |
| Older releases | No |
Check GitHub releases for the current supported version.
Please do not report security vulnerabilities through public GitHub issues.
- Go to Security advisories for this repository.
- Choose Report a vulnerability and submit details.
Maintainers will acknowledge receipt and work with you on coordinated disclosure.
We currently accept vulnerability reports only via GitHub Security Advisories. A dedicated security email alias may be added later.
When submitting an advisory, include:
- Description of the issue and impact
- Steps to reproduce
- Affected versions or commits
- Any proof-of-concept or logs (avoid sharing secrets)
| Stage | Target |
|---|---|
| Initial acknowledgment | Within 3 business days |
| Triage and severity assessment | Within 7 business days |
| Fix or mitigation plan | Depends on severity; critical issues prioritized |
These are goals, not guarantees. Complex issues may take longer.
- Reporter submits a private advisory or email.
- Maintainers confirm the issue, assign severity, and develop a fix (often on a private branch).
- A patched release is published; credit is given to the reporter if desired.
- A public advisory or release note describes the issue after a fix is available.
We follow coordinated disclosure: please allow reasonable time for a fix before public disclosure.
MatrixHub is often deployed on private networks. Operators should:
- Restrict network access to the API and admin UI
- Use strong authentication, TLS, and secrets management
- Keep dependencies and container images updated
- Follow your organization’s model-artifact and supply-chain policies
Open a pull request against this file or discuss with maintainers on Slack (see MAINTAINERS.md).