Yoki is under active development. Security fixes are applied to the latest version on the master branch.
| Version | Supported |
|---|---|
| latest | ✅ |
| < 0.1 | ❌ |
If you discover a security vulnerability in Yoki, please report it responsibly. Do not open a public GitHub issue for security-related problems.
Instead, report the vulnerability through one of the following channels:
- GitHub Security Advisories (preferred)
- Open a private security report via GitHub's "Report a vulnerability" button on the Security tab
If neither option is available, you may open a GitHub issue asking for a private contact method without disclosing any vulnerability details.
Please provide as much information as possible to help us understand and reproduce the issue:
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Affected versions or commits
- Any proof-of-concept code or exploit details (if applicable)
- Suggested fix or mitigation (if you have one)
We aim to acknowledge reports within 48 hours and provide an initial assessment within 7 days. You will be kept informed of our progress toward a fix.
- We ask that you do not publicly disclose the vulnerability until a fix has been released and users have had reasonable time to update.
- We will credit reporters in the release notes or advisory, unless you prefer to remain anonymous.
- We follow coordinated disclosure practices and will work with you on an appropriate timeline.
When running Yoki in production:
- Keep the proxy updated to the latest version
- Do not expose the proxy port to the public internet without additional network-level protections
- Run the proxy with the minimum required system privileges
- Monitor logs for unusual connection patterns
Thank you for helping keep Yoki and its users safe.