We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| latest | ✅ |
| < 1.0 | ❌ |
We take the security of our project seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to: security@geijutsu.org
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information in your report:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Acknowledgment of your report within 48 hours
- Regular updates on our progress
- Credit for your discovery (if desired) in our release notes
- Notification when the vulnerability is fixed
We prefer all communications to be in English.
- Security updates are released as soon as possible after verification
- Security advisories are published via GitHub Security Advisories
- Critical vulnerabilities are prioritized and released immediately
- Users are notified through release notes and security advisories
When using this project:
- Always use the latest stable version
- Keep dependencies up to date
- Follow the principle of least privilege
- Enable all available security features
- Review and follow our security guidelines in the documentation
- We follow responsible disclosure practices
- Security issues are fixed before public disclosure
- Credit is given to security researchers (if desired)
- Coordinated disclosure timeline is typically 90 days
If you have suggestions on how this process could be improved, please submit a pull request.