Only the latest release receives security fixes.
| Version | Supported |
|---|---|
| Latest | ✅ |
| Older | ❌ |
Do not use public GitHub issues for security vulnerabilities.
Report via GitHub Security Advisory or email sunnamed434 (at) proton dot me.
Include:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
Response time: 72 hours. Please don't disclose publicly until we release a fix.
- Authentication/OAuth vulnerabilities
- Credential exposure (tokens, keys)
- Path traversal or access control bypasses
- Command injection
- Docker/container security issues
Out of scope: physical access, social engineering, third-party dependency vulnerabilities, misconfigured deployments.
When deploying YARMCP:
- Use HTTPS
- Rotate credentials regularly
- Restrict network access
- Keep YARMCP updated
- Monitor logs for suspicious activity
Note: This policy covers YARMCP itself, not repositories it accesses.