Security fixes are applied to the latest released 0.x minor only. Pre-1.0, we don't backport — please update to the latest before reporting.
| Version | Supported |
|---|---|
| 0.3.x | ✅ |
| < 0.3 | ❌ |
Please do not file public GitHub issues for security vulnerabilities.
Instead, report privately via GitHub's private vulnerability reporting:
- Go to the Security tab of this repository
- Click Report a vulnerability
- Fill out the form
Alternatively, email security@minty.dev (once the domain is set up — until then, use GitHub's private advisory flow above).
- A description of the issue and why it's a vulnerability
- Steps to reproduce
- The affected version / commit SHA
- Your assessment of severity and impact
- Any suggested fix (optional)
Minty is maintained by a solo developer. Best-effort response times:
- Acknowledgement: within 7 days
- Initial assessment: within 14 days
- Fix or mitigation: timeline depends on severity
In scope:
- The
crm/server and web UI - The data importers under
sources/ - Any injection, XSS, RCE, path traversal, or data exfiltration issue
- Dependency vulnerabilities that are exploitable through Minty's code paths
Out of scope:
- Issues that require local filesystem or shell access (Minty is self-hosted — local access is assumed)
- Vulnerabilities in third-party services (WhatsApp Web, IMAP, Google, LinkedIn) — report those to the vendor
- Social engineering
We prefer coordinated disclosure. Please give us a reasonable window to ship a fix before publishing details. We'll credit you in the changelog unless you prefer to remain anonymous.