Only the latest commit on main (and the most recent tagged release, if any)
receives security fixes. Older versions are not maintained — please upgrade
before reporting issues.
Do not open public issues for security bugs.
Please report vulnerabilities privately through GitHub's private vulnerability reporting:
- Go to the Security tab of this repository.
- Click Report a vulnerability.
- Provide a description, reproduction steps, and the affected version / commit.
This creates a private thread visible only to maintainers, so the issue can be triaged and fixed before any public disclosure.
This is a solo-maintained open-source project, so triage is best-effort — there is no formal response SLA. I will acknowledge reports as soon as I am able and work in the open from there. Coordinated disclosure is appreciated: please give me a reasonable window to ship a fix before publishing details.
In scope:
- The Flutter app (
lib/,test/) - Build / CI configuration (
.github/workflows/,tools/) - Local persistence (sqflite, drift web)
- Crash reporting integration (Sentry)
Out of scope:
- Vulnerabilities in upstream dependencies — please report those to the respective projects (Flutter SDK, sqflite, drift, sentry-dart, etc.). I'll pick up fixes once they're released upstream, tracked via Dependabot.
- Self-hosted backends sketched in
docs/BACKEND_INTEGRATION.md— that integration is not implemented in this repository.