# Security Policy

## Supported Versions

We currently support the latest stable version of Gokapi. Security updates are provided on a best-effort basis for the most recent release.

| Version | Supported          |
| ------- | ------------------ |
| Latest  | ✅                 |
| Older   | ❌                 |

## Reporting a Vulnerability

If you discover a security vulnerability in Gokapi, please **do not open a public issue**.

Instead, use GitHub’s [**"Report a vulnerability"**](https://github.com/Forceu/Gokapi/security/advisories/new) feature on this repository. This ensures your report stays private and will be reviewed promptly by the maintainers.

To report a vulnerability:

1. Go to the **Security** tab of the Gokapi repository.
2. Click on **"Report a vulnerability"**.
3. Fill out the form with as much detail as possible.

We aim to acknowledge valid reports within **3 business days** and address them as quickly as possible.

## Disclosure Policy

Once a vulnerability is reported, we will:

1. Acknowledge receipt within 72 hours.
2. Investigate and validate the issue.
3. Develop a fix or mitigation strategy.
4. Coordinate a release with credit to the reporter (unless anonymity is requested).
5. Publish a security advisory via GitHub once the fix is released.

## Scope

This policy applies to the Gokapi codebase and documentation in this repository. Vulnerabilities in third-party dependencies should be reported to the appropriate maintainers.

---

Thank you for helping keep Gokapi secure!