Security fixes are applied to the latest minor release line. Older versions are not backported.

Please report security vulnerabilities privately — do not open a public issue, pull request, or discussion for a suspected vulnerability.

The preferred channel is GitHub Private Vulnerability Reporting:

1. Go to the repository's Security tab.
2. Click Report a vulnerability.
3. Fill in the details (affected version, reproduction steps, impact).

This keeps the report confidential between you and the maintainer while a fix is prepared, and requires no plaintext contact details from either side.

Calendula is a hobby / solo-maintained project, so responses are best effort — there is no guaranteed response time or formal SLA. Reports are reviewed and triaged as time permits, and confirmed issues are addressed in a subsequent release. Thank you for your patience and for reporting responsibly.

For the application's security model, deployment hardening, and reverse-proxy / network-level access controls, see docs/security.md. That document describes how to run Calendula securely; this file describes how to report a problem.