We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security bugs seriously. We appreciate your efforts to responsibly disclose your findings.
If you discover a security vulnerability, please follow these steps:
- DO NOT open a public issue
- Use GitHub's Security Advisory feature to privately report the vulnerability:
- Go to the repository's Security tab
- Click "Report a vulnerability"
- Fill out the advisory form
- Include the following information:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Acknowledgment of your report within 48 hours
- Regular updates on our progress
- Credit in the security advisory (unless you prefer to remain anonymous)
This template follows Electron security best practices:
- ✅ Context isolation enabled
- ✅ Node integration disabled in renderer
- ✅ Secure IPC communication via preload scripts
- ✅ Content Security Policy considerations
- ✅ No direct Node.js access in renderer process
We use:
- Dependabot for automatic dependency updates
- npm audit for security vulnerability scanning
- Regular CI/CD checks for security issues
When we receive a security bug report, we will:
- Confirm the problem and determine affected versions
- Audit code to find any similar problems
- Prepare fixes for all supported versions
- Release patches as soon as possible
If you have suggestions on how this process could be improved, please submit a pull request.