Memos is currently in beta (v0.x). While we take security seriously, we are not yet ready for formal CVE assignments or coordinated disclosure programs.

Please report via email only: [email protected]

DO NOT open public GitHub issues for security vulnerabilities.

Include in your report:

• Description of the issue
• Steps to reproduce
• Affected versions
• Your assessment of severity

• We will acknowledge your report as soon as we can
• Fixes will be included in regular releases without special security advisories
• No CVEs will be assigned during the beta phase
• Credit will be given in release notes if you wish

Use GitHub issues for functionality bugs, feature requests, and general questions.

As a beta project, we prioritize:

1. Rapid iteration over lengthy disclosure timelines
2. Quick patches over formal security processes
3. Transparency about our beta status

We plan to implement formal vulnerability disclosure and CVE handling after reaching v1.0 stable.

Since Memos is self-hosted software:

• Keep your instance updated to the latest release
• Don't expose your instance directly to the internet without authentication
• Use reverse proxies (nginx, Caddy) with rate limiting
• Review the deployment documentation for security best practices

Thank you for helping improve Memos!