We take security seriously. If you discover a security vulnerability in OpenWork, please report it responsibly.
Please do not publish exploit details in public GitHub issues.
OpenWork does not currently maintain a dedicated security email address. If GitHub private vulnerability reporting is available for this repository, use that channel. Otherwise, open a minimal public issue that requests maintainer contact without including exploit details, secrets, or proof-of-concept code.
Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any suggested fixes (optional)
Maintainers will review reports on a best-effort basis. Response and resolution timelines depend on maintainer availability and the severity of the issue.
This policy applies to:
- The OpenWork desktop application
- OpenWork server and shared packages
- Official OpenWork repositories
- Third-party dependencies (report to their maintainers)
- Social engineering attacks
- Denial of service attacks
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
We currently provide security updates for the latest version only. Please keep your installation up to date.
When using OpenWork:
- Keep credentials secure: Never commit
.envfiles or credentials - Use environment variables: Store secrets in environment variables
- Review permissions: Be cautious with "Execute" permission mode
- Update regularly: Keep the application updated
We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities (with their permission).