Security fixes target the latest released version and the main branch.
| Version | Supported |
|---|---|
latest release / main |
✅ |
| older releases | ❌ |
Please do not open a public issue for security problems.
Report privately through GitHub's built-in flow:
- Go to the repository's Security tab → Report a vulnerability, or open https://github.com/bogware/morass/security/advisories/new.
- Include the affected version/commit, a description, and a minimal reproduction if you have one.
If private reporting is unavailable to you, open a regular issue containing only "I'd like to report a security issue privately, please advise a channel" — without any details — and a maintainer will follow up.
We aim to acknowledge reports within a few days and to ship a fix or mitigation as quickly as the severity warrants. Coordinated disclosure is appreciated: please give us a reasonable window before any public write-up.
Morass is an audio plugin with no network functionality. The most relevant issue classes are:
- memory-safety bugs reachable from crafted plugin state or preset (
.morass) files, - crashes a host could trigger through normal plugin APIs, and
- problems in the build / CI / release supply chain.
Reports in those areas are especially welcome.