| Version | Supported |
|---|---|
| 0.1.x | Yes |
| < 0.1 | No |
Do NOT report security vulnerabilities via public GitHub Issues.
LinkWork uses GitHub Private Vulnerability Reporting.
- Go to the Security Advisories page.
- Click "Report a vulnerability".
- Fill in the details: description, impact, reproduction steps, and any suggested fix.
You do not need to disclose your email address publicly.
| Milestone | Target |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 5 business days |
| Fix / mitigation plan | Within 14 days |
| Public disclosure | After fix is released |
The following are in scope:
- Authentication and authorization bypass
- Remote code execution
- Container escape / sandbox bypass in
linkwork-executor - Injection vulnerabilities (SQL, command, path traversal)
- Secrets exposure in logs or API responses
- Privilege escalation
The following are out of scope:
- Vulnerabilities in third-party dependencies not yet patched upstream
- Issues requiring physical access to the server
- Social engineering attacks
We follow coordinated disclosure. We will credit reporters in the security advisory unless they prefer to remain anonymous.