| Version | Supported |
|---|---|
| 5.0.x | ✅ |
| 4.x | ❌ |
| < 4.0 | ❌ |
We take the security of QWED very seriously. If you discover a security vulnerability, please report it to us immediately.
Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.
Instead, please report them privately via email to:
rahul@qwedai.com
If GitHub private vulnerability reporting is enabled for this repository, you may use that channel as well.
Please include as much information as possible to help us reproduce and fix the issue, including:
- Steps to reproduce the issue
- Affected version(s)
- Relevant code, configuration, logs, or screenshots
- Proof-of-concept or exploit details, if available
- The potential impact on confidentiality, integrity, or availability
We are committed to addressing security issues promptly.
- We will acknowledge your report within 24 hours
- We will triage and validate the report as quickly as possible
- We will keep you informed of progress during investigation and remediation
- We will coordinate disclosure timing with you when appropriate
Please give us a reasonable amount of time to investigate and remediate the issue before making any public disclosure.
We ask that you:
- Avoid publicly disclosing the issue until a fix or mitigation is available
- Make a good-faith effort to avoid privacy violations, data destruction, or service disruption
- Avoid accessing, modifying, or exfiltrating data beyond what is necessary to demonstrate the issue
We value the security community and will publicly credit vulnerability reporters who responsibly disclose issues and do not request anonymity. Credit may be given in release notes, advisories, or repository security history.
To help us triage issues effectively, please distinguish between security issues and bugs:
- Security issue: A vulnerability that compromises the confidentiality, integrity, or availability of the system, such as code execution, injection, auth bypass, privilege escalation, sensitive data exposure, sandbox escape, or fail-open security behavior. Please report these privately as described above.
- Bug: A functional defect or unexpected behavior that does not have security implications, such as a UI issue, incorrect calculation, documentation problem, or non-exploitable crash. Please report these via the GitHub Issue Tracker.
Thank you for helping keep QWED secure.