We release patches for security vulnerabilities in the following versions:

We take the security of Denver MeshCore seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

1. GitHub Security Advisories (Preferred): Use GitHub's private vulnerability reporting to submit your report directly and securely.

2. Discord: For less critical issues, you can reach out privately to maintainers via our Discord server.

Please include as much of the following information as possible:

• Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
• Full paths of source file(s) related to the vulnerability
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if available)
• Impact assessment of the vulnerability

• Initial Response: Within 48 hours of your report
• Status Update: Within 7 days with an assessment and expected resolution timeline
• Resolution: We aim to patch critical vulnerabilities within 30 days

• We will work with you to understand and resolve the issue quickly
• We will keep you informed of our progress
• We will credit you in the security advisory (unless you prefer to remain anonymous)
• We ask that you give us reasonable time to address the issue before public disclosure

When contributing to this project, please:

• Never commit secrets, API keys, or credentials
• Keep dependencies up to date
• Follow secure coding practices
• Report any suspicious activity

Thank you for helping keep Denver MeshCore and our community safe!