Thank you for taking security seriously. This document explains how to report security vulnerabilities responsibly for ChatSuite and what to expect after you report.
If you discover a security vulnerability in ChatSuite, please report it privately to the maintainers so we can respond and remediate safely.
-
Preferred: Send an email to
hubertus@hubertusbecker.comwith:- A concise summary of the issue
- Affected components and versions (if applicable)
- Steps to reproduce, PoC, or sample code
- Any suggested mitigations or patches
-
If you prefer encrypted email, include a PGP-encrypted message. (Maintain the PGP public key here if you publish one.)
Do NOT open a public issue for a security vulnerability unless you cannot reach the maintainers or unless the vulnerability has already been fixed and public disclosure is intended.
- Acknowledge receipt: within 72 hours.
- Triage and initial assessment: within 7 days.
- Remediation plan and follow-up: within 30 days (timeline may vary by severity).
We will keep you updated on progress and coordinate disclosure timing. If you require confidentiality beyond email, include that request in your initial message.
We follow coordinated disclosure practices. We will not disclose reported issues publicly until a fix is available or until a mutually agreed disclosure date. We welcome authorship credit on advisories when appropriate.
Security fixes are generally provided for the current release and the previous stable release. If you are unsure which versions are supported, include the version information when reporting.
We welcome and appreciate responsible disclosure. We will not initiate legal action against individuals acting in good faith to report security issues in accordance with this policy.
Thank you — we appreciate your help keeping ChatSuite secure.