Only the latest release is actively supported with security fixes.
| Version | Supported |
|---|---|
| Latest | ✅ |
| Older | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Report vulnerabilities privately using GitHub's private vulnerability reporting. This ensures the issue can be reviewed and a fix prepared before public disclosure.
Please include as much of the following as possible:
- A description of the vulnerability and its potential impact
- The affected version(s)
- Steps to reproduce or a proof of concept
- Any suggested mitigations
You can expect an acknowledgement within 72 hours and a status update within 7 days.
Once a fix is available, the vulnerability will be disclosed via a GitHub Security Advisory along with the patched release. Credit will be given to the reporter unless anonymity is requested.
lynko is a Hugo module that renders a static HTML page — there is no server-side execution, database, or authentication. Please keep this context in mind when evaluating severity:
- Vulnerabilities in the generated static output (e.g. XSS via unsanitized config values) are in scope
- Vulnerabilities in the Hugo build pipeline or module system itself should be reported upstream to the Hugo project