Parsar is pre-1.0 and ships from main. Security fixes land on main and
are cut into the next tagged release. Older tags do not receive backports.
Please do not open a public GitHub issue for security problems.
Use GitHub's private vulnerability reporting instead:
➡️ https://github.com/MiniMax-AI-Dev/parsar/security/advisories/new
When filing, include:
- A description of the issue and its impact (what an attacker can do).
- A minimal reproduction — exact commands, requests, or steps.
- The version / commit SHA you tested against.
- Whether you would like public credit, and how to contact you.
- We will acknowledge the report within 5 business days.
- We aim to ship a fix or a documented mitigation within 30 days for high-severity issues, longer for low-severity. We will keep you updated.
- After the fix is released, we will publish a GitHub Security Advisory crediting you (unless you prefer to stay anonymous).
The following are not considered vulnerabilities for the purposes of this policy:
- Findings that require physical access to a developer's machine.
- Self-hosted misconfiguration (e.g. exposing the admin API to the internet without an auth proxy).
- Reports against third-party dependencies — file those upstream and let us know so we can bump.
Thank you for helping keep Parsar and its users safe.