Security updates are provided for the latest tagged release (currently v0.2).
| Version | Supported |
|---|---|
| 0.2.x | Yes |
| < 0.2 | No |
If you discover a security vulnerability, please report it privately by emailing jean.f.brito@gmail.com.
Do not open a public GitHub issue for vulnerabilities. This allows time for a fix to be prepared and released before the issue is disclosed publicly.
Security reports are in-scope for:
- Code contained in this repository
Security reports are out-of-scope for:
- Third-party VLM endpoints (OpenAI, HuggingFace, etc.)
- Proxmox hypervisor vulnerabilities
- Rocket.Chat server vulnerabilities
- Issues in upstream dependencies (report to the dependency maintainer directly)
As a single-maintainer project, vulnerability reports are handled on a best-effort basis with no service-level agreement (SLA). You can expect a response within 5–7 business days.
Security researchers who responsibly disclose vulnerabilities will be acknowledged in the patch release notes if desired.