Only the latest release of Bifrost receives security fixes. Older versions get best-effort support. Please update before reporting.
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ (best effort) |
Do not open a public GitHub issue for security reports.
Preferred — use GitHub's private vulnerability reporting:
- Go to the Security tab.
- Click Report a vulnerability.
- Describe the issue, include reproduction steps, and (if possible) a fix suggestion.
This creates a private advisory visible only to repository maintainers and can be published as a CVE/GHSA once fixed.
Alternatively, email the maintainer at [INSERT SECURITY EMAIL].
Please include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce (proof of concept if possible).
- Affected versions / components.
- Any suggested remediation.
- Acknowledgement: within 72 hours.
- Status update / ETA: once the report is validated.
- Fix: prioritized by severity. Coordinated disclosure is preferred.
Please give us a reasonable window to address the issue before any public disclosure.
In scope: the Bifrost server, bf CLI, the orchestrator/ system, and the
admin UI (bifrost/ui/).
Out of scope:
- Vulnerabilities in third-party dependencies — report these upstream to the relevant package.
- Issues caused by insecure custom configuration, weak JWT keys, or exposing the server without authentication.
- Self-hosted deployments missing security patches.
Thank you for helping keep Bifrost and its users safe.