Security Policy
How we handle security reporting, disclosure, and best practices.
Supported Versions
The following table shows which versions of Project Planner currently receive security updates:
| Version | Supported |
|---|---|
| Latest | ✅ Yes |
| 0.6.x | ✅ Yes |
| < 0.6 | ❌ No |
We strongly recommend using the latest version of Project Planner to ensure you have the most recent security patches and improvements.
Reporting a Vulnerability
How to Report
Do NOT open a public issue for security vulnerabilities. Public disclosure before a fix is available puts all users at risk.
To report a security vulnerability, use one of the following methods:
- Email — support@projectplanner.md
- GitHub — Use GitHub's private vulnerability reporting.
Please include the following information in your report:
- A clear description of the vulnerability.
- Steps to reproduce the issue.
- The potential impact or severity.
- Any suggested fixes or mitigations, if available.
What to Expect
After submitting a vulnerability report, here's what happens:
- Initial response within 48–72 hours — We will acknowledge receipt of your report.
- Updates within 7 days — You'll receive a status update on the investigation.
- Fix within 30 days — We aim to resolve confirmed vulnerabilities within 30 days of the initial report.
- Credit in release notes — With your permission, we'll credit you in the release notes for the fix.
Security Update Process
When a vulnerability is confirmed, we follow this process:
- Private fix development — A patch is developed privately to prevent premature disclosure.
- New version release — A new version containing the fix is published to the Obsidian Community Plugins directory.
- Delayed disclosure — Details of the vulnerability are withheld until users have had time to update.
- Security advisory — A public advisory is published with full details after the disclosure period.
Security Best Practices
Follow these recommendations to keep your Project Planner installation secure:
- Keep updated — Always run the latest version of the plugin. Enable automatic updates in Obsidian's settings if possible.
- Trusted sources only — Only install Project Planner from the official Obsidian Community Plugins directory or the GitHub releases page.
- Review permissions — Be mindful of what access any plugin requests and only grant permissions that are necessary.
- Report suspicious behavior — If you notice unexpected behavior that could indicate a security issue, report it using the methods described above.
Project Planner operates entirely on your local device. Your data is never sent to external servers by the plugin.