We take the security of OrbitKit and our users' data seriously.
Please do not open a public issue for security vulnerabilities.
Instead, email security@orbitkit.io (or help@orbitkit.io) with:
- a description of the issue and its impact,
- steps to reproduce, and
- any relevant logs or proof of concept.
We aim to acknowledge reports within 2 business days and to provide a remediation timeline after triage. We're happy to credit reporters once a fix has shipped, unless you prefer to remain anonymous.
This policy covers the OrbitKit service (orbitkit.io, api.orbitkit.io),
the hosted MCP server, and the open-source projects in this organization
(OrbitKit CLI, OrbitKit Deploy).
The hosted service always runs the latest version. For the CLI and Action, only the latest released major version receives security fixes.