Security fixes are applied on a best-effort basis to:
| Version | Supported |
|---|---|
master (latest) |
✅ |
| Older releases | ❌ |
If a vulnerability affects an unsupported version, upgrade to the latest release before requesting a fix.
Please do not open public issues for suspected security vulnerabilities.
Use GitHub Security Advisories for private reporting:
- Go to the repository Security tab.
- Click "Report a vulnerability".
- Share detailed reproduction steps and impact.
If private reporting through GitHub is unavailable, contact maintainers through repository ownership channels and include "Security" in the subject.
To help maintainers triage quickly, include:
- A clear description of the vulnerability and potential impact.
- Reproduction steps or a proof of concept.
- Affected commit/tag/version.
- Environment details (OS, Go version, Docker version, deployment mode).
- Any suggested remediation (optional).
Do not include production secrets, credentials, or personal data in your report.
Maintainers aim to:
- Acknowledge new reports within 5 business days.
- Triage severity and affected scope.
- Work on a fix and coordinate release timing.
- Credit the reporter unless anonymous disclosure is requested.
Please allow time for a fix before public disclosure. Coordinated disclosure helps protect users.
This service handles sensitive one-time messages and Vault tokens. Reports are especially valuable for issues related to:
- Secret leakage (logs, responses, storage, transport).
- Token misuse or replay that breaks one-time read guarantees.
- Authentication/authorization bypass in Vault interactions.
- TLS misconfiguration that can expose secrets in transit.
- File upload handling weaknesses (size limits, validation, processing).
For non-security bugs, use the public issue templates in bug_report.yml and feature_request.yml.