If you discover a security issue in Launchstack, please do not open a public GitHub issue.
Email security@launchstack.dev with:
- A description of the issue and potential impact
- Steps to reproduce (or a proof-of-concept)
- The affected version(s) — commit SHA, tag, or
@launchstack/coreversion - Your suggested fix, if you have one
We'll acknowledge receipt within 2 business days and aim to ship a fix or mitigation within 14 days for high-severity issues.
We fix security issues on the main branch and in the most recent minor release of @launchstack/core. Older versions are not patched.
Once a fix is released we'll publish a GitHub Security Advisory crediting the reporter (unless you'd prefer to remain anonymous).