English | 中文

We take the security of Soffio and its users seriously. If you discover a potential vulnerability, please follow the process below and avoid sharing details in public channels.

• Use GitHub Security Advisories (the repository exposes the “Report a vulnerability” button once enabled).
  • Include the affected component or path.
  • Provide reproduction steps.
  • Describe the impact (e.g., DoS, data exposure, privilege escalation).
  • Optional: attach a proof of concept or remediation suggestion.

• Within 24 hours: acknowledge receipt.
• Within 72 hours: share an initial assessment and next steps.
• Within 7 days: deliver a fix or mitigation plan and coordinate disclosure timing.

Please keep reports confidential until a fix is released. If you need coordinated disclosure or aligned announcements, let us know when you report the issue.

• Fixes ship through the standard release pipeline and are noted in CHANGELOG.md.
• Critical advisories are also highlighted in the corresponding GitHub Release notes.

Thank you for helping us keep Soffio secure.