Our goal is to provide our users with dependable and secure software that they should not have to think twice about using.
In service of this goal, we ensure that security issues are identified, fixed, and disclosed in a responsible and coordinated manner.
The following table shows the versions of Via that are currently receiving security updates.
| Version | Supported |
|---|---|
>= 2 |
✅ Yes (active) |
<= 1 |
❌ No longer supported |
We greatly appreciate researchers and users who report vulnerabilities responsibly and privately. Publicly disclosing security issues before a fix is available can put users at risk.
🥷 Instead, report it privately so we can work together to fix it responsibly.
Send an email to vulnerable.via@gmail.com. Include a clear description of the vulnerability, the impact it has on users, and steps to reproduce.
You may optionally suggest a mitigation or patch as part of the message. If we agree that the proposed solution is correct, we will respond with permission to open a pull request, along with advice on how to write the description without leaking details before the disclosure and patch become publicly available.
- We will acknowledge your report within 24 hours
- We aim to provide an initial assessment the same day
- Once confirmed, we will do the following:
- Work on a fix and coordinate a release
- Publicly disclose the issue only after a patch is available
- Give you credit in the advisory (optional)
If we haven’t responded within the expected timeframe, you may follow up using the same contact method.
❤️ Thank you for helping keep Via and our community safe.