Security Policy
Supported versions
Section titled “Supported versions”| Version | Supported |
|---|---|
| 0.1.x | :white_check_mark: |
Reporting a vulnerability
Section titled “Reporting a vulnerability”Please do not report security vulnerabilities through public GitHub issues.
If you discover a security issue, report it privately:
- Open a GitHub Security Advisory (preferred), or
- Email security@meshql.dev with a description, reproduction steps, and impact assessment.
We aim to acknowledge reports within 48 hours and will work with you on a fix and coordinated disclosure timeline.
Security reports are welcome for:
@meshql/core,@meshql/http,@meshql/client,@meshql/upload- Query parsing, validation, and transport header handling
- Example applications in
examples/
Out of scope: third-party dependencies (report to upstream), social engineering, denial-of-service without a concrete flaw in MeshQL itself.
Safe harbor
Section titled “Safe harbor”We support good-faith security research. We will not pursue legal action against researchers who follow this policy and avoid privacy violations, data destruction, or service disruption.