Only the latest release in a supported branch receives security patches.

Do not file security issues as public GitHub issues.

To report a vulnerability, email craig@k5n.us with:

• A description of the vulnerability
• Steps to reproduce or a proof of concept
• The affected version(s)
• Any suggested fix (optional)

• Acknowledgment within 72 hours of your report.
• Assessment and severity determination within 1 week.
• Fix or mitigation for confirmed vulnerabilities, typically within 30 days depending on complexity.
• A coordinated disclosure timeline agreed upon with the reporter.

We follow coordinated disclosure:

1. Reporter notifies us privately.
2. We confirm and develop a fix.
3. We release the fix and publish a GitHub Security Advisory.
4. Reporter may publish details after the advisory is public.

We aim to resolve confirmed vulnerabilities within 90 days of the initial report. If more time is needed, we will communicate the revised timeline to the reporter.

We credit reporters in the security advisory and release notes unless they prefer to remain anonymous. Let us know your preference when reporting.

The following are in scope for security reports:

• Authentication or authorization bypass
• SQL injection
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Remote code execution
• Path traversal or local file inclusion
• Information disclosure (credentials, PII, internal paths)
• MCP server token or access control issues

The following are out of scope:

• Denial of service (unless trivially exploitable)
• Issues in third-party dependencies (report to the upstream project)
• Issues requiring physical access to the server
• Social engineering

See docs/security.md for deployment hardening guidance including file permissions, web server configuration, database security, and session settings.