Only the latest release on the main branch receives security fixes. We do not backport patches to older releases.
| Version | Supported |
|---|---|
main (latest) |
✅ |
| Older releases | ❌ |
Please do NOT open a public GitHub issue for security vulnerabilities. Doing so could expose users before a fix is available.
Instead, report vulnerabilities through GitHub's private security advisory mechanism:
- Go to the Security tab of this repository.
- Click "Report a vulnerability".
- Fill in the form with as much detail as possible.
If you prefer e-mail, you can reach the maintainer at the address listed on their GitHub profile.
To help us triage and fix the issue quickly, please provide:
- Description – a clear summary of the vulnerability.
- Impact – what an attacker can achieve (e.g., unauthenticated RCE, SQL injection, JWT bypass).
- Steps to reproduce – a minimal reproduction case, including any exploit code or PoC.
- Affected component – which file(s), endpoint(s), or feature(s) are vulnerable.
- Suggested fix (optional) – if you have a patch or idea for remediation.
| Step | Target time |
|---|---|
| Acknowledgement of report | Within 48 hours |
| Initial triage and severity assessment | Within 5 business days |
| Fix or workaround published | Depends on severity (see below) |
| Severity | Fix target |
|---|---|
| Critical / High | Within 7 days |
| Medium | Within 30 days |
| Low / Informational | Best effort |
This policy covers the AzerothPanel application code — the FastAPI backend, React frontend, host daemon (ac_host_daemon.py), and Docker configuration.
It does not cover:
- AzerothCore itself (report to the AzerothCore project).
- Third-party dependencies — report vulnerabilities in dependencies to their respective maintainers; please also open a non-sensitive issue here so we can update the dependency.
- Vulnerabilities that require physical access to the host machine.
Once a fix is released, we will:
- Publish a GitHub Security Advisory.
- Credit the reporter (unless they prefer to remain anonymous).
- Tag a new release and update the
CHANGELOG.md.
We follow a coordinated disclosure approach and ask reporters to respect a 90-day embargo after the fix is available before publishing their own write-up.