Open Claude is currently maintained on the latest main branch and the latest
npm release only.
| Version | Supported |
|---|---|
| Latest release | ✅ |
| Older releases | ❌ |
| Unreleased forks / modified builds | ❌ |
Security fixes are generally released in the next patch version and may also be
landed directly on main before a package release is published.
If you believe you have found a security vulnerability in Open Claude, please report it privately.
Preferred reporting channel:
- GitHub Security Advisories / private vulnerability reporting for this repository
Please include:
- a clear description of the issue
- affected version, commit, or environment
- reproduction steps or a proof of concept
- impact assessment
- any suggested remediation, if available
Please do not open a public issue for an unpatched vulnerability.
Our general goals are:
- initial triage acknowledgment within 7 days
- follow-up after validation when we can reproduce the issue
- coordinated disclosure after a fix is available
Severity, exploitability, and maintenance bandwidth may affect timelines.
Valid reports may be fixed privately first and disclosed after a patch is available.
If a report is accepted and the issue is significant enough to warrant formal tracking, we may publish a GitHub Security Advisory and request or assign a CVE through the appropriate channel. CVE issuance is not guaranteed for every report.
This policy applies to:
- the Open Claude source code in this repository
- official release artifacts published from this repository
- the
@gitlawb/openclaudenpm package
This policy does not cover:
- third-party model providers, endpoints, or hosted services
- local misconfiguration on the reporter's machine
- vulnerabilities in unofficial forks, mirrors, or downstream repackages