Northern_Lights/cherry-studio
1
0
Fork 0
mirror of https://github.com/CherryHQ/cherry-studio.git synced 2025-12-19 06:30:10 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
4a4d861592
cherry-studio/SECURITY.md
fullex 4a4d861592
docs: Update SECURITY.md 
change email report to Security page report
2025-07-17 23:00:14 +08:00

65 lines
2.3 KiB
Markdown
Raw Blame History

# Security Policy
## 📢 Reporting a Vulnerability
At Cherry Studio, we take security seriously and appreciate your efforts to responsibly disclose vulnerabilities. If you discover a security issue, please report it as soon as possible.
**Please do not create public issues for security-related reports.**
- To report a security issue, please use the GitHub Security Advisories tab to "[Open a draft security advisory](https://github.com/CherryHQ/cherry-studio/security/advisories/new)".
- Include a detailed description of the issue, steps to reproduce, potential impact, and any possible mitigations.
- If applicable, please also attach proof-of-concept code or screenshots.
We will acknowledge your report within **72 hours** and provide a status update as we investigate.
---
## 🔒 Supported Versions
We aim to support the latest released version and one previous minor release.
| Version | Supported |
|-----------------|--------------------|
| Latest (`main`) | ✅ Supported |
| Previous minor | ✅ Supported |
| Older versions | ❌ Not supported |
If you are using an unsupported version, we strongly recommend updating to the latest release to receive security fixes.
---
## 💡 Security Measures
Cherry Studio integrates several security best practices, including:
- Strict dependency updates and regular vulnerability scanning.
- TypeScript strict mode and linting to reduce potential injection or runtime issues.
- Enforced code formatting and pre-commit hooks.
- Internal security reviews before releases.
- Dedicated MCP (Model Context Protocol) safeguards for model interactions and data privacy.
---
## 🛡️ Disclosure Policy
- We follow a **coordinated disclosure** approach.
- We will not publicly disclose vulnerabilities until a fix has been developed and released.
- Credit will be given to researchers who responsibly disclose vulnerabilities, if requested.
---
## 🤝 Acknowledgements
We greatly appreciate contributions from the security community and strive to recognize all researchers who help keep Cherry Studio safe.
---
## 🌟 Questions?
For any security-related questions not involving vulnerabilities, please reach out to:
**security@cherry-ai.com**
---
Thank you for helping keep Cherry Studio and its users secure!
Reference in New Issue View Git Blame Copy Permalink