You can report security vulnerabilities through two channels:
-
GitHub Security Advisory:
- Navigate to the Security tab in our repository
- Click on "Report a vulnerability"
- Provide a detailed description of the vulnerability
-
Direct contact:
- Send your report to anybody with "maintainer" role discord
- Please include as much information as possible about the vulnerability
When reporting a vulnerability, please provide:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Any potential impact
- If possible, suggestions for addressing the vulnerability
- Your contact information for follow-up questions
- Submit your report through one of the channels above
- Receive an acknowledgment
- We will investigate and validate the issue
- We will work on a fix and keep you updated on our progress
- Once resolved, we will publish the fix and acknowledge your contribution (if requested)
Only the latest version of Grimmory is supported for security updates. We do not backport security fixes to older versions.
| Version | Supported |
|---|---|
| Latest | ✅ |
| Older | ❌ |
Please note: Before reporting a security issue, ensure you are using the latest version of Grimmory. Security reports for older versions will not be accepted.
When deploying Grimmory:
- Always use the latest version
- Use strong, unique passwords for admin accounts
- Decrease permissions for any external services or integrations
- Run Grimmory in a secure environment (e.g., behind a firewall, with proper network segmentation)
- Regularly check for and apply updates
Note
this list is not exhaustive. Always follow general security best practices when deploying any software.