| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
Only the latest released version receives security fixes. Users are encouraged to upgrade promptly.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, use GitHub's private vulnerability reporting to report security issues:
- Go to the Security Advisories page.
- Click "Report a vulnerability".
- Fill in the details and submit.
- Description of the vulnerability and its potential impact.
- Steps to reproduce or a proof of concept.
- Affected version(s).
- Any suggested fix, if you have one.
- Acknowledgement within 3 business days.
- A plan for a fix or a request for more information within 7 business days.
- A coordinated disclosure timeline agreed upon with the reporter before any public announcement.
- Credit in the release notes (unless you prefer to remain anonymous).
The following are in scope for security reports:
- The
claude-escalatebinary and its dependencies. - The Docker image and its base layers.
- The local dashboard web server.
- CI/CD workflow configurations that could lead to supply chain issues.
The following are out of scope:
- Vulnerabilities in upstream dependencies that are already publicly disclosed (please open a regular issue instead).
- The local dashboard is designed for localhost-only access and is not intended for public exposure.