We take the security of the Off Grid AI Console seriously. This document explains how to report a vulnerability and what to expect after you do.
Do not open a public GitHub issue for a security vulnerability. Public disclosure before a fix is available puts users at risk.
Report it privately by email to:
mac@getoffgridai.co
When you report, include as much of the following as you can:
- A description of the vulnerability and the impact you believe it has.
- The steps to reproduce it, or a proof of concept.
- The affected version, commit, or route.
- Any suggested remediation, if you have one.
- We acknowledge your report within a few business days.
- We investigate and confirm the issue, then work on a fix.
- We keep you informed of progress and let you know when a fix ships.
- We credit you for the report if you would like, once the fix is public.
Please give us reasonable time to release a fix before any public disclosure. We will work with you on a coordinated timeline.
The project is pre-1.0 and moves fast. Security fixes land on the main branch, and we recommend running the latest release. Older versions are not patched separately. Once the project reaches a stable release line, this section will list the versions that receive security updates.
This policy covers the console application in this repository. Vulnerabilities in third-party dependencies should be reported to their respective projects, though we welcome a heads-up so we can update or patch on our side.