Security fixes are provided for:
- the latest release line
- the current
mainbranch, when a fix has not yet been released
Older versions may not receive patches.
Please do not open a public GitHub issue for security vulnerabilities.
Report vulnerabilities privately using one of these channels:
- GitHub Security Advisories, if enabled for the repository
- Email:
obsidianlabs.tech@gmail.com
Please include:
- a short summary of the issue
- affected page, module, or workflow
- reproduction steps
- screenshots or traces if relevant
- any tenant, authentication, or permission context required to reproduce
If the issue could cause cross-tenant data exposure, token/session leakage, authorization bypass, or contract-desync behavior, say that explicitly.
We aim to:
- acknowledge valid reports promptly
- reproduce and assess severity
- prepare a fix or mitigation
- publish a release once the fix is ready
Please avoid disclosing the issue publicly until a fix or mitigation is available.