# Security Policy

Thank you for helping keep DeepSeek GUI and its users safe.

## Supported Versions

Security fixes are generally applied to the latest maintained code on the default branch and to the latest published release when practical. Older versions may not receive patches.

## Reporting a Vulnerability

Please do not open public GitHub issues for security-sensitive bugs.

Instead, report vulnerabilities privately through one of these channels:

- email: [zhongxingyuemail@gmail.com](mailto:zhongxingyuemail@gmail.com)
- GitHub Security Advisories: use the repository's private vulnerability reporting flow if enabled

When possible, include:

- a clear description of the issue
- affected version, commit, or release tag
- reproduction steps or proof of concept
- impact assessment
- any suggested mitigation

## Response Expectations

We aim to:

- acknowledge new reports within 3 business days
- confirm whether the issue is in scope
- keep the reporter informed as triage progresses
- publish a fix or mitigation as quickly as responsibly possible

## Scope Notes

Please report issues such as:

- remote code execution or privilege escalation
- unsafe file access or sandbox bypass
- credential, token, or secret leakage
- updater, packaging, or release integrity weaknesses
- vulnerabilities in bundled local services or integration paths

Please avoid public disclosure until a fix or mitigation is available and maintainers have had reasonable time to respond.