Security fixes are applied to the latest release. We recommend always using the newest SDK version.
| Version | Supported |
|---|---|
| 1.2.x | ✅ |
| 1.1.x | ❌ |
| < 1.1 | ❌ |
Packages covered: TypeScript (@manycore/aholo-sdk-*), Python (manycore-aholo-sdk-*), and Java (com.manycoreapis:aholo-sdk-*).
Please do not report security vulnerabilities through public GitHub issues.
If you believe you have found a security issue in this SDK, report it privately using one of the following:
- GitHub Security Advisories (preferred): Report a vulnerability
- Email: devops-team@qunhemail.com (if the advisory form is unavailable)
Include as much detail as possible:
- Affected package(s) and version(s)
- Steps to reproduce
- Impact assessment (e.g. credential exposure, insecure defaults)
- Proof of concept, if available
- Acknowledgment within 5 business days
- Initial assessment within 10 business days
- We will coordinate disclosure timing with you and publish a fix or mitigation before any public announcement when possible
In scope
- Vulnerabilities in this repository's source code (HTTP client handling, credential storage patterns, dependency usage bundled by the SDK, etc.)
Out of scope
- Vulnerabilities in the Aholo API backend itself (report via Aholo support)
- Issues caused solely by misuse of API keys or insecure application code outside this SDK
- Social engineering or denial-of-service against Aholo infrastructure
- Never commit
AHOLO_API_KEYor other secrets to source control. - Prefer environment variables or your platform's secret manager.
- Rotate API keys promptly if you suspect exposure.
Thank you for helping keep Aholo Spatial SDK users safe.