Security updates are only provided for the following versions:

Thank you for taking the time to disclose vulnerabilities responsibly!

Please do NOT report security issues publicly via GitHub Issues.
Instead, use one of the following private channels (the first one is strongly preferred):

1. Preferred method – Open a private vulnerability report directly on GitHub:
   https://github.com/B4rtekk1/Skysync/security/advisories/new
   GitHub will automatically notify maintainers and keep details hidden from the public.

2. Send an email to: bartoszkasyna@gmail.com

3. As a last resort, send a direct message on GitHub or Discord '@bartekbk1'.

• Acknowledgment of receipt within 48 hours.
• Initial triage within 7 days.
• For accepted vulnerabilities: a fix in the next patch/minor release (critical issues usually ≤ 14 days).
• Publication of a GitHub Security Advisory with credit to you (unless you prefer to remain anonymous).

• We follow coordinated disclosure.
• Once the fix is released, a public GitHub Security Advisory will be created (you’ll be credited by name or pseudonym).
• We’ll keep you updated throughout the entire process.

This policy applies only to code maintained in this repository and official releases.

Out-of-scope items include:

• Denial-of-service attacks against running instances.
• Security issues caused by misconfiguration in production.
• Vulnerabilities in third-party dependencies that do not yet have a public CVE (these are handled automatically by Dependabot).

We currently do not offer a monetary bug-bounty program, but we are extremely grateful for responsible disclosures. Top reporters will be listed in our Hall of Fame (in README or a dedicated CONTRIBUTORS.md file) and receive eternal gratitude (and virtual pizza 🍕).

Thank you for helping keep the project and its users safe! ❤️