OpenConcho follows semantic versioning via semantic-release. Only the latest minor release on main receives security fixes.

Please do not open public issues for security reports.

Use GitHub's private vulnerability reporting to file a report. Include:

• A description of the issue and its impact
• Steps to reproduce
• Affected version(s)
• Any mitigations you've identified

You should expect an acknowledgement within 72 hours and a fix or status update within 14 days.

OpenConcho is a frontend client. It stores connection config (base URL, optional token) in localStorage under the keys openconcho:config and openconcho:theme. It makes no network requests outside the Honcho instance you configure.

In-scope:

• XSS, CSRF, or other client-side vulnerabilities in the OpenConcho UI
• Token leakage from localStorage to third parties
• Build-toolchain supply-chain issues

Out of scope:

• Vulnerabilities in your own Honcho instance — report those upstream at plastic-labs/honcho
• Issues that require physical access to an unlocked device