| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Only the latest release on the next branch receives security updates.
Do not open a public issue for security vulnerabilities.
Email kimlimjustin@gmail.com with:
- A clear description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- 48 hours — initial acknowledgment
- 7 days — triage and severity assessment
- 30 days — target for a fix or mitigation (critical issues faster)
- Extension sandbox escapes (accessing APIs or data outside granted permissions)
- File system access beyond what the user has permitted
- Command injection through file names, paths, or extension inputs
- Cross-site scripting (XSS) in the webview layer
- Privilege escalation via Tauri commands
- Sensitive data exposure (credentials, tokens, file contents leaking to extensions)
- The report is triaged and a severity is assigned (Critical / High / Medium / Low).
- A fix is developed on a private branch.
- A new patch release is published with a changelog entry describing the issue at a high level.
- The reporter is credited (unless they prefer anonymity).
- Keep your Xplorer installation up to date.
- Review extension permissions before granting access.
- Do not install extensions from untrusted sources.