| Version | Supported |
|---|---|
| 0.6.x | ✅ Current |
| < 0.6 | ❌ No longer supported |
If you discover a security vulnerability in CloudBlocks, please report it responsibly.
- Do not open a public GitHub issue for security vulnerabilities.
- Use GitHub Security Advisories (private):
- Report a vulnerability
- Keep details out of public issues and discussions.
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix or mitigation: Dependent on severity
The following areas are in scope:
- Authentication and session management (
cb_session,cb_oauthcookies) - GitHub OAuth flow security
- API endpoint authorization
- Cross-site scripting (XSS) in the visual builder
- Cross-site request forgery (CSRF) protections
- Dependency vulnerabilities
For details on CloudBlocks' security boundaries and threat model, see:
- Security Boundaries — Authentication, authorization, and data protection design
We follow coordinated vulnerability disclosure. We will credit reporters in release notes unless anonymity is requested.