If you discover a security vulnerability in OST Linker, please report it responsibly by emailing contact@opensource-together.com.

Please do NOT open public issues for security vulnerabilities. We will acknowledge your report and coordinate a fix privately.

• SQL injection or command injection vulnerabilities
• Credential or secret exposure (API keys, tokens, passwords)
• Authentication or authorization bypass
• Denial of service vulnerabilities
• Dependency vulnerabilities (known CVEs)

• Acknowledgment: within 48 hours
• Assessment: within 1 week
• Fix: depends on severity, critical issues are prioritized

Only the latest version on the staging branch is actively maintained. We do not backport security fixes to older versions.