| # Security Policy for OpenMAIC | |
| Thank you for helping us keep OpenMAIC secure! We take the security of our platform, multi-agent engine, and users very seriously. | |
| ## Supported Versions | |
| We currently provide security updates for the latest major release and the active `main` branch. Please ensure you are running the most recent version of OpenMAIC before submitting a report. | |
| | Version | Supported | | |
| | ------- | ------------------ | | |
| | main | :white_check_mark: | | |
| | Latest Release | :white_check_mark: | | |
| | Older Versions | :x: | | |
| ## Reporting a Vulnerability | |
| If you discover a security vulnerability in OpenMAIC, **please do not create a public GitHub issue.** Publicly disclosing a vulnerability can put other users and self-hosted instances at risk. | |
| Instead, please report it privately using one of the following methods: | |
| **GitHub Private Vulnerability Reporting:** Go to the [Security tab](https://github.com/THU-MAIC/OpenMAIC/security) of the repository, click on "Advisories", and select "Report a vulnerability". | |
| **What to include in your report:** | |
| * A description of the vulnerability and its potential impact. | |
| * Detailed steps to reproduce the issue. | |
| * Any relevant logs, screenshots, or code snippets. | |
| * (Optional) Suggested mitigation or a patch. | |
| We will acknowledge receipt of your vulnerability report within 48 hours and strive to send you regular updates about our progress. | |
| ## Disclosure Process | |
| When a vulnerability is confirmed and patched, we will publish a GitHub Security Advisory detailing the issue, the impacted versions, and the fix. We will also credit the security researcher who reported the issue (unless they prefer to remain anonymous). | |