Thank you for taking the time to responsibly disclose a security vulnerability in OpenUniverse. We take security seriously and appreciate your efforts to help us keep users and infrastructure safe.
We actively maintain and support the following versions:
| Version | Status | Notes |
|---|---|---|
main (latest) |
✅ Supported | All new patches and releases |
| Past versions | ❌ Not supported | Use at your own risk |
Security patches will only be backported to previous versions if the impact is severe and there's significant user demand.
If you discover a potential security issue in OpenUniverse, please do not create a public GitHub issue or discussion.
Instead, contact us directly via email:
Include the following, if possible:
- A detailed description of the vulnerability
- The exact version(s) affected
- Steps to reproduce the issue (POC code, config, etc.)
- Potential impact or exploitability
- Suggested mitigation or fix (optional)
We are committed to keeping all reports confidential until a fix is released.
We follow these guidelines upon receiving a report:
- Acknowledgment within 72 hours
- Initial triage and impact assessment within 5 business days
- Fix or mitigation proposal within 14 days (or a timeline update)
- Coordinated disclosure with reporter if necessary
We prioritize issues based on severity, reproducibility, and real-world impact.
If you prefer encrypted communication, you may use our PGP key:
(comming soon)