| Version | Supported |
|---|---|
| Latest release | Yes |
| Older versions | No |
We recommend always running the latest version of Shep. Security fixes are applied to the latest release only.
Please do not open a public GitHub issue for security vulnerabilities.
If you discover a security vulnerability, please report it privately by emailing security@shep.bot. Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: We will acknowledge your report within 48 hours.
- Triage: We will assess the severity and impact within 7 days.
- Resolution: We will work on a fix and coordinate disclosure with you. The timeline for a fix depends on the severity and complexity of the issue.
- You will receive an acknowledgment email confirming we received your report.
- We will investigate and keep you informed of our progress.
- Once a fix is ready, we will release a patch and credit you in the release notes (unless you prefer to remain anonymous).
- We will coordinate public disclosure timing with you.
This policy applies to the Shep CLI, web UI, and all packages published under the @shepai npm scope.
We appreciate your help in keeping Shep and its users safe. Responsible disclosure helps us address issues before they can be exploited.