| Version | Supported |
|---|---|
| 1.5.x | ✅ |
| < 1.5.5 | ❌ |
Please do not open a public GitHub issue for security vulnerabilities.
Use GitHub's private vulnerability reporting to submit a report confidentially.
Alternatively, email burtelgamerpro@gmail.com
with the subject line [SECURITY] Group-Protocol-Stack.
- A clear description of the vulnerability and its impact
- Steps to reproduce (proof-of-concept code if possible)
- Affected versions
- Any suggested mitigations
| Stage | Target |
|---|---|
| Initial acknowledgement | 48 hours |
| Triage and severity assessment | 5 business days |
| Fix or workaround available | 30 days (critical), 90 days (others) |
| Public disclosure | After fix is released |
We follow responsible disclosure: we will coordinate a public disclosure date with you after the fix is ready.
This policy covers vulnerabilities in the GBP/GTP/GAP/GSP protocol implementations, cryptographic primitives, MLS integration, SFrame media encryption, and the FFI layer exposed to .NET, Node.js, and Python.
Out of scope: vulnerabilities in third-party dependencies (report those upstream), build tooling, and documentation.