Security fixes are provided for the latest release on the default branch.
If you discover a security issue, please report it privately instead of opening a public issue.
- Open a private security advisory on GitHub with a description of the issue, steps to reproduce, and impact if known.
- Allow a reasonable time for a fix before public disclosure.
- Do not include live credentials, production data, or customer content in your report.
We will acknowledge receipt and work with you on remediation and coordinated disclosure when appropriate.
Agent Relay is designed so encrypted delivery content is decrypted in the user's browser.
Self-hosted operators remain responsible for securing their deployment: database access,
object storage credentials, SMTP, SESSION_SECRET, TLS, and backups. See the
Backup and restore (self-hosting) section in
README.md for the minimum Postgres + S3 procedure.