We take security seriously and appreciate responsible disclosures.
| Version | Supported |
|---|---|
| main (active branch) | ✅ Yes |
| older branches | ❌ No |
We only support the latest main branch for security fixes.
If you’re using a fork or custom deployment, please stay up to date with the latest commit.
If you believe you’ve found a security issue, please do not open a public GitHub issue.
Instead, email the maintainer directly:
Security Contact: Ovanes Budakyan
Include the following information (if possible):
- A clear description of the issue
- Steps to reproduce or proof of concept
- The potential impact (data leak, privilege escalation, etc.)
- Suggested mitigation (if known)
- We’ll acknowledge your report within 48 hours.
- We’ll work with you to understand and reproduce the issue.
- A fix or patch will be developed privately.
- You’ll be credited (if desired) once the fix is released.
This applies to:
- The Python CLI tools and FastAPI backend
- The Next.js UI
- Any integration code involving GitLab/Jira/Drush automation
It does not cover unrelated third-party services (e.g., hosting, Ollama, OpenAI, or EC2 itself).
We ask that you do not publicly disclose vulnerabilities before an official fix is released.
Your help keeps Drupal DevOps Co-Pilot safe for everyone.