Skip to content

Security Policy

Version Supported
0.1.x :white_check_mark:

Please do not report security vulnerabilities through public GitHub issues.

If you discover a security issue, report it privately:

  1. Open a GitHub Security Advisory (preferred), or
  2. Email security@meshql.dev with a description, reproduction steps, and impact assessment.

We aim to acknowledge reports within 48 hours and will work with you on a fix and coordinated disclosure timeline.

Security reports are welcome for:

  • @meshql/core, @meshql/http, @meshql/client, @meshql/upload
  • Query parsing, validation, and transport header handling
  • Example applications in examples/

Out of scope: third-party dependencies (report to upstream), social engineering, denial-of-service without a concrete flaw in MeshQL itself.

We support good-faith security research. We will not pursue legal action against researchers who follow this policy and avoid privacy violations, data destruction, or service disruption.