LOAM is an actively developed project and security fixes are applied to the latest released version.
At the moment, only the most recent release is considered supported for security issues.
| Version | Supported |
|---|---|
| Latest release | Yes |
| Older releases | No |
Please do not open a public GitHub issue for suspected security vulnerabilities.
If you believe you have found a security issue in LOAM, please report it privately by emailing:
Please include as much detail as you can, for example:
- a description of the issue
- steps to reproduce it
- the version, commit, or branch of LOAM affected
- the impact you believe it may have
- any proof of concept, logs, screenshots, or configuration details that would help reproduce it safely
You can encrypt your report if needed. If you want to use encrypted email, mention that in your initial message and we can arrange a suitable method.
I will aim to:
- acknowledge receipt of your report within 5 working days
- assess and triage the report as quickly as possible
- keep you informed of the outcome where practical
- coordinate a fix and release before public disclosure where appropriate
This policy covers security issues in:
- the LOAM web application
- the LOAM server
- shared LOAM packages in this repository
- authentication, identity, messaging, syncing, storage, and network communication code
- the official project repository and published packages, if any
It does not cover:
- vulnerabilities in third-party dependencies outside LOAM’s own code, unless LOAM uses them in an unsafe way
- general usage questions or feature requests
- issues in unofficial forks, deployments, devices, or infrastructure not maintained by the LOAM project
- reports about insecure local networks, routers, browsers, operating systems, or hardware that are not caused by LOAM itself
Please allow reasonable time for investigation and remediation before making any public disclosure.
If a report is accepted as a genuine security issue, I may credit the reporter in release notes or documentation, unless you would prefer to remain anonymous.