The latest stable release of Morphix receives security fixes. Older versions are not back-patched.
| Version | Supported |
|---|---|
| v1.0.0 (current) | ✅ |
| Older builds | ❌ |
If you find a security issue in Morphix, please report it privately — don't open a public GitHub issue.
Email: moner.intelligence@gmail.com
Include:
- The Morphix version (Help → About)
- Your operating system + version
- A clear description of the issue and its impact
- Steps to reproduce — minimal repro is best
- Any proof-of-concept files (encrypted or zipped if sensitive)
You'll get an initial acknowledgement within 72 hours. Confirmed issues are triaged on severity:
- Critical — patched in the next point release; coordinated disclosure once a fix ships
- High / Medium — patched in the next minor release
- Low — bundled with regular maintenance
Please allow a reasonable window for the fix to ship before public disclosure. Coordinated disclosure protects users; full credit goes to the reporter unless anonymity is requested.
The following don't qualify as Morphix vulnerabilities:
- Issues in third-party sidecars (FFmpeg, LibreOffice, qpdf) — report those upstream
- Windows SmartScreen warnings on first launch — v1.0.0 ships unsigned by design
- Conversion failures for malformed input files — those are bugs, not vulnerabilities; use the regular GitHub issue tracker
- Known limitations documented in the README or CHANGELOG
- Pay bug bounties (no program exists yet)
- Disclose reporter details without consent
- Sit on confirmed critical issues longer than the next point release
Morphix applies the following defense-in-depth limits to prevent zip-bomb and resource-exhaustion attacks during archive extraction:
- Total extraction size — capped at 10 GB per archive
- Per-entry size — capped at 4 GB for any single file inside an archive
- Total entry count — capped at 100,000 entries per archive
Archives exceeding any of these limits abort with a clear error rather than silently consuming disk or memory. Path-traversal (zip-slip) is independently blocked by morphix_utils::fs::safe_extract_path for every entry. See src/converters/src/archives/archive_io.rs for the implementation.