# Security Policy for OpenMAIC

Thank you for helping us keep OpenMAIC secure! We take the security of our platform, multi-agent engine, and users very seriously. 

## Supported Versions

We currently provide security updates for the latest major release and the active `main` branch. Please ensure you are running the most recent version of OpenMAIC before submitting a report.

| Version | Supported          |
| ------- | ------------------ |
| main    | :white_check_mark: |
| Latest Release | :white_check_mark: |
| Older Versions | :x:                |

## Reporting a Vulnerability

If you discover a security vulnerability in OpenMAIC, **please do not create a public GitHub issue.** Publicly disclosing a vulnerability can put other users and self-hosted instances at risk.

Instead, please report it privately using one of the following methods:
**GitHub Private Vulnerability Reporting:** Go to the [Security tab](https://github.com/THU-MAIC/OpenMAIC/security) of the repository, click on "Advisories", and select "Report a vulnerability".


**What to include in your report:**
* A description of the vulnerability and its potential impact.
* Detailed steps to reproduce the issue.
* Any relevant logs, screenshots, or code snippets.
* (Optional) Suggested mitigation or a patch.

We will acknowledge receipt of your vulnerability report within 48 hours and strive to send you regular updates about our progress.

## Disclosure Process

When a vulnerability is confirmed and patched, we will publish a GitHub Security Advisory detailing the issue, the impacted versions, and the fix. We will also credit the security researcher who reported the issue (unless they prefer to remain anonymous).