# Security Policy ## Supported Versions Security fixes are issued only against the latest released version. Older versions do not receive backported patches — please upgrade before reporting, and confirm the issue still reproduces on the latest release where possible. | Version | Supported | |----------|-----------| | latest | ✅ | | < latest | ❌ | ## Reporting a Vulnerability **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** ### Preferred: GitHub Private Vulnerability Reporting Use GitHub's built-in private reporting workflow: ➡️ **[Report a vulnerability](https://github.com/cbcoutinho/nextcloud-mcp-server/security/advisories/new)** This opens a private draft security advisory visible only to the repository maintainers. You can also reach the same form from the **Security** tab → **Report a vulnerability**. ### Fallback: Email If you cannot use GitHub's private reporting (for example, you don't have a GitHub account), email: **security@astrolabecloud.com** ### What to include Whichever channel you use, please include as much of the following as you can to help us triage: - A description of the vulnerability and its potential impact - Steps to reproduce (proof-of-concept code, if applicable) - The version(s) of the project affected - Any known mitigations or workarounds We aim to: - Acknowledge reports within 5 business days. - Provide a fix or mitigation timeline within 30 days. - Work with you on coordinated disclosure.