We release security patches for the following versions:

Do not report security vulnerabilities through public GitHub issues.

Please report security vulnerabilities via GitHub security advisories: https://github.com/sanchez314c/stream-grid/security/advisories/new

Or email directly: software@jasonpaulmichaels.co

Include as much of the following as possible:

• Type of issue (buffer overflow, SQL injection, XSS, path traversal, etc.)
• Full paths of affected source files
• Location of the vulnerable code (tag, branch, commit, or direct URL)
• Any special configuration required to reproduce
• Step-by-step reproduction instructions
• Proof-of-concept or exploit code (if available)
• Impact assessment — how could an attacker exploit this?

• 48 hours: Acknowledgment of your report
• 7 days: Initial assessment and severity rating
• 30 days: Patch released for confirmed vulnerabilities (critical issues get expedited treatment)

You'll be notified at each stage. If you don't hear back within 48 hours, follow up directly.

• We will coordinate with you on disclosure timing
• We will publicly disclose the vulnerability after a fix is released
• We will credit you in the release notes unless you prefer to remain anonymous

StreamGRID is a desktop Electron app. The primary attack surface includes:

• IPC channels between renderer and main process (contextBridge/preload)
• Network requests to RTMP/RTSP/HLS stream sources
• ONVIF device discovery (UDP broadcast, XML parsing)
• Local SQLite database (stream metadata, settings)
• File system access (log files, settings JSON)

Out of scope:

• Vulnerabilities in upstream dependencies (report those to the relevant project)
• Issues requiring physical access to the machine
• Social engineering attacks

We support responsible disclosure. If you act in good faith and follow this policy, we will not pursue legal action against you and will work with you to understand and resolve the issue promptly.