Only the latest minor release line receives security updates. Older lines are end-of-life on the release of a new minor version.

Please do not file public GitHub issues for security problems.

The preferred channel is GitHub Private Security Advisories:

• https://github.com/Logos-Flux/mnemo/security/advisories/new

If you cannot use GitHub advisories, you may email lf@logosflux.io with a description of the issue, reproduction steps, and any relevant logs or proof-of-concept material. PGP is not currently required.

• Acknowledgement of receipt: within 72 hours.
• Initial assessment (severity, scope, expected timeline): within 7 days.
• Fix and coordinated disclosure: timeline agreed with the reporter, prioritised by severity.

In scope:

• Source code in this repository (the @mnemo/core, @mnemo/mcp-server, @mnemo/cf-worker, and @mnemo/local packages).
• Default configuration, deployment templates, and documented setup procedures shipped from this repo.

Out of scope:

• Third-party hosting or operation of the Cloudflare Worker (those deployments are owned by their operators).
• User-side rotation and storage of credentials such as GEMINI_API_KEY and MNEMO_AUTH_TOKEN — managing these is the user's responsibility.
• Vulnerabilities in upstream dependencies that are already publicly disclosed and have an upstream advisory; please report those upstream and (optionally) let us know so we can pin or patch.

We follow a coordinated-disclosure model. Once a fix is available and released, we will publish an advisory describing the issue, affected versions, and remediation. Reporters who would like to be credited will be acknowledged in the advisory and the changelog; reporters who wish to remain anonymous will be respected.