If you discover a security vulnerability in the rclone project, please follow these steps:
- Do Not Publicly Disclose: Do not raise an issue in the public issue tracker or disclose the vulnerability publicly until it has been resolved.
- Use GitHub's Reporting Interface:
- Navigate to the GitHub Security Advisories page for rclone.
- Provide a detailed description of the issue, including steps to reproduce it if possible.
We will acknowledge receipt of your report within 48 hours and provide updates as we investigate and address the issue.
The following versions of rclone are currently supported with security updates:
| Version | Supported |
|---|---|
| Latest release | ✅ Yes |
| Older releases |
Please note that versions beyond one year of their release may not receive security patches.
- Investigation: The security team investigates the report and assesses its impact.
- Fix Development: A patch is developed in a private branch to resolve the issue.
- Testing: The fix undergoes thorough testing to ensure it resolves the vulnerability without introducing regressions.
- Public Release: The patch is merged, and a new release is published.
- Disclosure: A public advisory is issued detailing the vulnerability and its resolution.
To protect the users of rclone, we request that you adhere to the following responsible disclosure guidelines:
- Allow sufficient time for the issue to be addressed before discussing it publicly.
- Work with us to verify the fix and ensure the vulnerability is resolved.
Thank you for helping to keep rclone secure!