Skip to content

Security: JosephMaynard/loam

Security

SECURITY.md

Security Policy

Supported Versions

LOAM is an actively developed project and security fixes are applied to the latest released version.

At the moment, only the most recent release is considered supported for security issues.

Version Supported
Latest release Yes
Older releases No

Reporting a Vulnerability

Please do not open a public GitHub issue for suspected security vulnerabilities.

If you believe you have found a security issue in LOAM, please report it privately by emailing:

magicaltrailsapp@gmail.com

Please include as much detail as you can, for example:

  • a description of the issue
  • steps to reproduce it
  • the version, commit, or branch of LOAM affected
  • the impact you believe it may have
  • any proof of concept, logs, screenshots, or configuration details that would help reproduce it safely

You can encrypt your report if needed. If you want to use encrypted email, mention that in your initial message and we can arrange a suitable method.

What to Expect

I will aim to:

  • acknowledge receipt of your report within 5 working days
  • assess and triage the report as quickly as possible
  • keep you informed of the outcome where practical
  • coordinate a fix and release before public disclosure where appropriate

Scope

This policy covers security issues in:

  • the LOAM web application
  • the LOAM server
  • shared LOAM packages in this repository
  • authentication, identity, messaging, syncing, storage, and network communication code
  • the official project repository and published packages, if any

It does not cover:

  • vulnerabilities in third-party dependencies outside LOAM’s own code, unless LOAM uses them in an unsafe way
  • general usage questions or feature requests
  • issues in unofficial forks, deployments, devices, or infrastructure not maintained by the LOAM project
  • reports about insecure local networks, routers, browsers, operating systems, or hardware that are not caused by LOAM itself

Disclosure

Please allow reasonable time for investigation and remediation before making any public disclosure.

If a report is accepted as a genuine security issue, I may credit the reporter in release notes or documentation, unless you would prefer to remain anonymous.

There aren't any published security advisories