Our top priority is keeping our users' data safe. If you have found an issue in our systems, please reach out to us.
If you believe you have found a vulnerability, please disclose by contacting us: security@holdfast.dev
Please try your best to describe a clear and realistic impact for your report.
| Version | Supported |
|---|---|
| main branch | ️✅ |
| any other | ❌ |
Note: Please use a self-hosted instance to perform any tests. Do not use a production deployment for security testing.
- Remote command execution
- SQL Injection
- Cross-site scripting (XSS)
- Performing admin actions without authorization
We consider the following out of scope, though there may be exceptions.
- Reports from automated tools or scanners
- Theoretical attacks without proof of exploitability
- Social engineering
- Physical attacks
- Denial of Service attacks
- Brute force attacks
Thank you for keeping HoldFast and our users safe.