As OpenShelves is in early development, security fixes are applied to the latest version on the develop branch. Once stable releases are published, this table will reflect which versions receive security updates.
| Version | Supported |
|---|---|
Latest (develop) |
✅ |
Please do not report security vulnerabilities through public GitHub issues.
We use GitHub's private vulnerability reporting feature. To report a vulnerability:
- Go to the Security tab of this repository.
- Click "Report a vulnerability".
- Fill in the details — what the vulnerability is, how to reproduce it, and its potential impact.
The Core Team will review and investigate your report and keep you updated throughout the process.
We ask that you:
- Give us reasonable time to investigate and address the issue before any public disclosure.
- Avoid accessing, modifying, or deleting data that isn't yours during testing.
- Act in good faith — we will do the same.
We appreciate your help in keeping OpenShelves and its users safe.
This policy covers the OpenShelves application code in this repository. If you discover a vulnerability in a third-party dependency used by this project, please report it to the respective maintainer. If you are unsure whether the vulnerability is in OpenShelves or a dependency, report it here and we will triage accordingly.
Reporters who responsibly disclose security issues may be credited in release notes or other changelogs at the Core Team's discretion, unless they prefer to remain anonymous.