Only the latest release of Matcha is supported with security updates.
If you discover a security vulnerability in Matcha, please report it responsibly. Do not open a public issue.
Email us at [email protected] with:
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fixes (optional)
We will acknowledge your report within 48 hours and aim to provide a fix or mitigation plan within 7 days, depending on severity.
This policy covers the Matcha codebase and its official releases. Third-party dependencies are outside our direct control, but we will work to address reported issues in dependencies as quickly as possible.
We ask that you give us reasonable time to address the issue before disclosing it publicly. We are committed to crediting reporters in release notes (unless you prefer to remain anonymous).