If you discover a security vulnerability in Harmony, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email: [email protected]
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Fix release: Within 30 days for critical issues
| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous minor | Security fixes only |
| Older | No |
The following are in scope:
- Harmony API (harmony-api)
- Harmony Desktop App (harmony-app)
- Supabase configuration and RLS policies
- Docker Compose deployment configuration
The following are out of scope:
- Third-party dependencies (report upstream)
- Supabase Cloud infrastructure (report to Supabase)
- LiveKit infrastructure (report to LiveKit)