Lychee uses a rolling release system, we do not backport fixes to previously released versions. Those are the versions where we accept vulnerability reports.

As described in our contribution guide, if you discover a security vulnerability within Lychee, please contact us directly on discord. All security vulnerabilities will be promptly addressed.

If you are thinking about reporting an issue regarding the api/v2/Diagnostics endpoint, please note that it is intentionally public and does not require authentication. The responses from this endpoint do not contain any sensitive information or secrets and have been anonymized.

Its main goal is to allow users to easily diagnose issues with their Lychee installation even if they can't log in.