|
| 1 | +# Security policy |
| 2 | + |
| 3 | +## Reporting a vulnerability |
| 4 | + |
| 5 | +We take the security of Material for MkDocs seriously. If you believe you have found a security vulnerability in Material for MkDocs, we encourage you to report it to us responsibly. |
| 6 | + |
| 7 | +**Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.** |
| 8 | + |
| 9 | +Instead, please send a report to martin.donath@squidfunk.com with the following information: |
| 10 | + |
| 11 | +1. A description of the vulnerability and its potential impact. |
| 12 | +2. The steps required to reproduce the issue. |
| 13 | +3. Any relevant files, screenshots, or proof-of-concept code. |
| 14 | +4. Your name and contact information, if you would like to be credited. |
| 15 | + |
| 16 | +## Our commitment |
| 17 | + |
| 18 | +We are committed to working with security researchers and our community to address vulnerabilities quickly and transparently. When you submit a report, you can expect the following: |
| 19 | + |
| 20 | +- **Acknowledgement** within 3 business days of your report. |
| 21 | +- **Regular updates** on our progress as we investigate and address the issue. |
| 22 | +- **Confidentiality** – we will not share your personal information without your permission, and we ask that you keep the vulnerability confidential until we have had the opportunity to address it. |
| 23 | +- **Credit** – we are happy to acknowledge your contribution once the vulnerability has been resolved, if you would like. |
| 24 | + |
| 25 | +## Supported versions |
| 26 | + |
| 27 | +We release security fixes for the latest stable version of Material for MkDocs until its end-of-life date on **November 5, 2025**. We encourage all users to stay up to date with the latest release to ensure they benefit from all security patches. |
| 28 | + |
| 29 | +After **November 5, 2025**, Material for MkDocs will no longer receive public security updates as part of standard maintenance. |
| 30 | + |
| 31 | +Organizations with longer support requirements are welcome to contact us at martin.donath@squidfunk.com to discuss potential extended support options. |
| 32 | + |
| 33 | +## Scope |
| 34 | + |
| 35 | +This policy applies to vulnerabilities in the Material for MkDocs codebase. If you discover a vulnerability in a third-party dependency, please report it to the maintainers of that project directly. |
| 36 | + |
| 37 | +We take dependency security seriously. We are deliberate in our selection of third-party dependencies, and we actively monitor and update them to ensure Material for MkDocs remains on the latest stable versions. If you believe a dependency we use poses a security risk, feel free to bring it to our attention at martin.donath@squidfunk.com. |
0 commit comments