We take security issues seriously and appreciate responsible disclosure.
Please use GitHub Security Advisories instead of opening a public issue for sensitive findings.
- Security Advisories: https://github.com/LeonGaoHaining/opencowork/security/advisories
- Contact: leon.gao@opencowork.com
Please include:
- affected version(s),
- severity assessment,
- reproduction steps,
- expected vs actual behavior,
- and an optional remediation suggestion.
| Severity | First Response | Target Fix Window |
|---|---|---|
| Critical | 24 hours | 7 days |
| High | 3 days | 14 days |
| Medium | 7 days | 30 days |
| Low | 14 days | 90 days |
OpenCowork is often deployed in trusted single-user desktop environments. That deployment model changes risk priorities for some classes of issues, but it does not eliminate the need to report meaningful vulnerabilities.
Security fixes are released in patch versions whenever possible.
Example:
v0.10.9->v0.10.10
We appreciate responsible disclosure and will credit reporters when appropriate.