We take security issues seriously. If you discover a security vulnerability, please report it responsibly.
Please do NOT open a public issue for security vulnerabilities.
Instead, report security issues via:
- GitHub Private Vulnerability Reporting: Use the "Report a vulnerability" button in the Security tab
- Direct contact: Open a draft issue and I'll be notified
To help us understand and resolve the issue, please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your GitHub username (for acknowledgment)
- Acknowledgment: Within 48 hours
- Status update: Within 5 business days
- Resolution: Depends on severity and complexity
| Version | Supported |
|---|---|
| 2.0.x | ✅ |
| < 2.0 | ❌ |
When using PdfMerger:
- Keep dependencies updated: Regularly run
pip install --upgrade -r requirements.txt - Validate PDF sources: Only process PDFs from trusted sources
- Use strong passwords: For encryption, use complex passwords
- Secure your Flask instance: Don't expose the web interface publicly without proper authentication
- File size limits: The default 50MB limit helps prevent DoS attacks
- The web interface is designed for local/trusted network use
- No built-in user authentication for the Flask app
- PDFs are temporarily stored in system temp directory
Thank you for helping keep PdfMerger safe!