Security fixes are provided for the latest main branch and the latest release tag.
Please do not disclose security issues in public Issues.
Use one of the following channels:
- GitHub Security Advisories (preferred): https://github.com/tytsxai/social-copilot/security/advisories
- If advisories are unavailable, open an issue with minimal details and request private contact.
When reporting, include:
- Affected version / commit SHA
- Reproduction steps or PoC
- Impact scope and potential abuse path
- Suggested mitigation (if any)
- Initial acknowledgement: within 72 hours
- Triage status update: within 7 days
- Fix ETA communication: as soon as impact is confirmed
After a fix is prepared and users have a reasonable upgrade window, we will publish:
- A changelog entry with impact summary
- Recommended upgrade/remediation steps
- Never commit API keys, tokens, or user data
- Keep logs and diagnostics free of secrets and raw message content
- Prefer minimal permissions and least-privilege changes
- Add/adjust tests for security-critical paths (sanitization, validation, fallback)