We release security fixes for the latest version of each project. We recommend always running the latest release.
Please do not report security vulnerabilities through public GitHub issues.
If you believe you have found a security vulnerability in any Polyphon project, report it privately using GitHub's private vulnerability reporting:
- Navigate to the affected repository on GitHub
- Click the Security tab
- Click Report a vulnerability
Alternatively, email security@polyphon.ai.
Please include as much of the following as possible so we can triage and respond quickly:
- Type of vulnerability (e.g. authentication bypass, data exposure, injection)
- Steps to reproduce or proof of concept
- Versions affected
- Potential impact
We will acknowledge receipt within 2 business days and aim to provide a fix or mitigation timeline within 7 business days.
We follow coordinated disclosure. We ask that you give us reasonable time to address a vulnerability before public disclosure. We will credit researchers who report valid issues in the release notes unless you prefer to remain anonymous.
All Polyphon repositories contain AI-assisted code. Review all configurations, scripts, and logic before deploying in sensitive or production environments.