If you discover a security vulnerability in Arkloop, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Send an email to qingf622@outlook.com with:

• A description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Any suggested fixes (optional)

• Acknowledgment: within 48 hours of receiving the report.
• Initial assessment: within 7 days.
• Fix and disclosure: coordinated with the reporter. We aim to release patches within 30 days for confirmed vulnerabilities.

The following are in scope:

• Arkloop source code in this repository
• Official Docker images
• Arkloop Cloud service

The following are out of scope:

• Third-party dependencies (report to the respective maintainers)
• Issues in user-deployed configurations or custom modifications
• Social engineering attacks

We appreciate responsible disclosure. With your permission, we will acknowledge reporters in the release notes for the patch that addresses their finding.

Security patches are applied to the latest release. We do not maintain backports for older versions unless explicitly stated.