| Version | Supported |
|---|---|
| latest | Yes |
Only the latest deployed version receives security updates.
Report vulnerabilities to graham@oriondevcore.com.
Do not open a public issue for security vulnerabilities. We will:
- Acknowledge receipt within 48 hours
- Assess severity and impact
- Deploy a fix within a reasonable timeline depending on severity
- Notify you when the fix is live
We ask that you:
- Give us reasonable time to fix the issue before public disclosure
- Do not access or modify user data beyond what is necessary to demonstrate the vulnerability
- Do not use automated scanners that may disrupt service
In scope: the Orion Agent Worker, its API endpoints, WebSocket handler, and the React dashboard.
Out of scope: Cloudflare infrastructure, third-party dependencies (report those to their respective maintainers).