Only the latest main branch and the latest release are supported.

Use GitHub “Report a vulnerability” (Security → Advisories) for private disclosure. Do NOT open public issues for vulnerabilities.

SLA: acknowledge within 48h, triage within 7 days, fix/mitigate within 30 days when feasible.

Included: backend (Python), web-ui (JS/TS), Docker images, CI. Excluded: third-party services and user config on self-hosted instances.

If you have a PoC, provide minimal reproduction steps and impacted versions.

Куда писать: через “Report a vulnerability” в GitHub (приватно).
Сроки: подтверждение — 48 ч, триаж — 7 дней, фикc/митигация — до 30 дней (по возможности).
Что входит: backend (Python), web-ui (JS/TS), Docker/CI.
Не входит: сторонние сервисы и локальные настройки пользователей.
Не создавайте публичные Issue по уязвимостям.

Primary: Telegram — @Endorpheen (https://t.me/Endorpheen) Backup: GitHub “Report a vulnerability” (Security → Advisories). PGP: not required.