| Version | Supported |
|---|---|
v0.2.x |
✅ active |
v0.1.x |
|
< v0.1.0 |
❌ no longer supported |
Please do not open a public GitHub issue for security vulnerabilities.
Report privately by email:
taobaoaz (at) users.noreply.github.com
(Replace
(at)with@. The address is the GitHubnoreplyalias that maps to thetaobaoazaccount, so replies route through GitHub's authenticated-email relay and do not expose a personal address.)
If you cannot use email, open a GitHub Security Advisory draft through the repository's Security tab instead — that path is also private and is preferred over a plain issue.
A good report makes our job easier and gets you a faster fix. Please include:
- The plugin version (
@zcode/harmonyos-dev-pluginfrompackage.json) - The exact MCP tool name (e.g.
appstore_search,harmony_build_app) and the arguments you passed (with secrets redacted) - The HarmonyOS / DevEco / Node version, and the OS you're running on
- A minimal repro: command(s) or skill prompt that triggers the bug
- What you expected vs. what happened
- Any public CVE / advisory reference, if applicable
| Stage | Target |
|---|---|
| Acknowledgement | within 7 days |
| Triage decision | within 14 days |
| Patch (critical / high) | within 30 days |
| Patch (medium / low) | next regular release |
This policy covers:
- The
harmonyos-dev/plugin source, build artifacts, and the publishedapps.jsondataset. - The 30 MCP tools registered in
src/mcp/server.ts(25harmony_*and 5appstore_*). - The
AppGallery CrawlGitHub Actions workflow and the data it publishes.
It does not cover:
- The HarmonyOS NEXT platform itself or Huawei's AppGallery backend. Issues in those upstream systems should be reported to Huawei.
- The user's own machine environment, JDK, Node, or hvigor install.