We actively support the latest version of whonion.dev. Security updates are applied to the main branch.
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
If you discover a security vulnerability, please do not open a public issue. Instead, please report it privately:
Send a detailed report to: contact@whonion.app
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution: Depends on severity and complexity
When reporting vulnerabilities, please:
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
- Do not access or modify data that does not belong to you
- Do not disrupt our services or other users
- Do provide detailed information to help us understand and reproduce the issue
- We will acknowledge receipt of your report within 48 hours
- We will keep you informed of our progress
- We will credit you in our security advisories (unless you prefer to remain anonymous)
- We will not take legal action against security researchers who act in good faith
- Security vulnerabilities in the website codebase
- Authentication and authorization issues
- Data exposure or leakage
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Server-side request forgery (SSRF)
- SQL injection (if applicable)
- Remote code execution
- Denial of service (DoS) attacks
- Social engineering attacks
- Physical security issues
- Issues requiring physical access to devices
- Issues in third-party services or dependencies (please report to the respective maintainers)
We appreciate responsible disclosure and will recognize security researchers who help us improve the security of whonion.dev. Recognition may include:
- Credit in our security advisories
- Public acknowledgment (with your permission)
Thank you for helping keep whonion.dev secure!