Skip to content

Security: NeoLabs-Systems/NeoMail

Security

SECURITY.md

Security Policy

Supported Versions

Security fixes are applied to the latest stable release and, when affected, the current beta line. Older releases should be upgraded before a report is validated.

Report a Vulnerability Privately

Do not open a public issue for a suspected vulnerability.

Use GitHub's private vulnerability reporting to send the report to the maintainer.

Include:

  • The affected version or commit.
  • The affected component and runtime profile.
  • Reproduction steps or a minimal proof of concept.
  • The impact you observed.
  • Any known mitigations.

Do not include live credentials, personal data, or access to a production system. Use test accounts and redact logs.

The maintainer will confirm receipt, investigate the report, coordinate a fix, and credit the reporter when requested and appropriate. Please allow time for a release before publishing technical details.

Security Scope

Reports are especially useful when they involve:

  • Authentication or authorization bypass.
  • Cross-user mailbox or admin-boundary data access.
  • Secret, token, or personal-data exposure.
  • Encryption, session, API-key, OAuth, or bearer-token handling flaws.
  • Mail sync, SMTP send, MCP host, or external API authorization failures.
  • Injection through HTTP, WebSocket, MCP, mail content, or AI input surfaces.

Questions about hardening a normal deployment belong in a GitHub issue and should not include secrets.

There aren't any published security advisories