| Version | Supported |
|---|---|
| 0.1.x | Yes |
If you discover a security vulnerability in Repowise, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email security@repowise.dev with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fix (optional)
We will acknowledge your report within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.
The following are in scope:
- The
repowisePython package (PyPI) - The Repowise web UI
- The Repowise API server
- The MCP server
- GitHub Actions workflows in this repository
- Vulnerabilities in third-party dependencies (report these upstream, but let us know so we can update)
- Issues requiring physical access to the machine running Repowise
We follow coordinated disclosure. Once a fix is released, we will:
- Credit the reporter (unless they prefer anonymity)
- Publish a security advisory via GitHub Security Advisories
- Release a patched version on PyPI