Security fixes are applied to the main branch and the latest published release. Older tags are retained for reference but are not actively maintained.
Please do not open a public issue for a suspected vulnerability, leaked credential, or exploit path.
Report it privately to the maintainer at tulsitomar2019@gmail.com with:
- the affected component or endpoint;
- steps to reproduce the problem;
- the expected and observed behavior;
- the potential impact;
- any suggested mitigation, if known.
Remove secrets, personal data, and live access tokens from screenshots or logs before sending them.
The maintainer will acknowledge a complete report within three business days, assess its severity, and coordinate a fix before public disclosure when the report is valid.
Reports are especially useful for:
- authentication or authorization bypasses;
- exposed credentials or unsafe secret handling;
- injection or unsafe input processing;
- dependency vulnerabilities with a practical OrbitOPS impact;
- unintended access to deployment, telemetry, or contributor data.
General bugs, feature requests, and documentation problems should use the public issue templates instead.