If you discover a security vulnerability in vm2, please do not create a public issue.
Instead, use GitHub’s private vulnerability reporting feature to submit your report securely. This ensures sensitive information is shared privately with the maintainers and not exposed publicly.
Please include as much detail as possible to help us reproduce and assess the issue:
- Steps to reproduce
- Affected versions
- Environment and configuration details
- Potential impact (if known)
We follow a responsible disclosure process:
- You report the vulnerability privately via GitHub.
- We investigate, confirm, and prepare a fix.
- Once a fix is released, we’ll credit you (if you wish) in the release notes and security advisory.
- Only then will details of the vulnerability be made public.
The following versions of vm2 currently receive security updates:
| Version | Supported | Notes |
|---|---|---|
| 3.x | ✅ | Actively maintained |
| 2.x and older | ❌ | No longer supported |
Security is a top priority for this project. We take all reports seriously and aim to resolve verified issues quickly and transparently, with respect for both reporters and users.
Thank you for helping make vm2 safer for everyone. 🙏