Only the latest release on the main branch is supported with security updates.

Do NOT open a public issue.

To report a security vulnerability, please use GitHub's private vulnerability reporting:

👉 Report a vulnerability

1. Acknowledgment — We will acknowledge receipt of your report within 48 hours.
2. Initial assessment — We will provide an initial assessment within 7 days.
3. Collaboration — We will work with you to understand and reproduce the issue.
4. Disclosure timing — We will coordinate disclosure timing with you.
5. Credit — You will be credited in the security advisory unless you prefer to remain anonymous.

We ask that you:

• Give us reasonable time to address the vulnerability before disclosing publicly.
• Act in good faith to avoid privacy violations, data destruction, or service disruption.
• Do not access or modify data belonging to other users.

Thank you for helping keep OnRamp and its users safe.