We release security updates for the current release branch. Older branches are not officially supported.
Please do not report security vulnerabilities in public issues or pull requests.
If you believe you've found a security issue:
- Email the maintainers or open a private security advisory on GitHub (recommended once the repo is public).
- Include a clear description, steps to reproduce, and impact if possible.
- We will acknowledge receipt and aim to respond within a reasonable time.
- We will work on a fix and coordinate disclosure (e.g. release + advisory) before any public discussion.
We appreciate responsible disclosure and will credit reporters when we publish advisories (unless you prefer to stay anonymous).
- Change the default
admin/passwordimmediately after first setup. - Keep dependencies updated (e.g.
pip install -U -r requirements.txt). - Run the app behind HTTPS in production when possible.
- Do not expose the app to the internet unless you need to; prefer local/VPN access.