Only the latest released version of Hermes IDE receives security fixes.
Do not open a public GitHub issue for security vulnerabilities.
Please report security vulnerabilities by emailing: security@hermes-ide.com
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Affected version(s)
- Impact assessment
- Suggested fix (optional)
| Step | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 7 days |
| Fix timeline communicated | Within 14 days |
| Fix released | Target within 90 days |
In scope:
- The Hermes IDE desktop application (macOS, Windows, Linux)
- Auto-update mechanism
- Network communication initiated by the application
- Local file system access and permissions
Out of scope:
- Third-party extensions or plugins
- Issues in upstream dependencies (report to the upstream project)
- Social engineering
- Denial of service against update infrastructure
We follow coordinated disclosure. We ask for 90 days from the initial report before public disclosure. We will credit you in the security advisory unless you prefer to remain anonymous.
Security research conducted consistent with this policy is authorized and will not be subject to legal action.