We release patches for security vulnerabilities. Which versions are eligible for patches depends on the CVSS v3.0 Rating:

If you find a vulnerability, please email [email protected] with the details and we will respond as soon as possible. Please do not create a public issue.

We ask that you follow responsible disclosure practices when reporting vulnerabilities. This means you should:

• Contact us privately to report the vulnerability.
• Give us a reasonable amount of time to address the issue before making any information public.
• Avoid exploiting the vulnerability in any way.

To ensure the security of your Shelve installation, we recommend the following best practices:

• Keep your software up to date with the latest security patches.
• Use strong, unique passwords for all accounts.
• Enable two-factor authentication (2FA) where possible.
• Regularly review and audit your security settings and access controls.
• Monitor your systems for any unusual activity and respond promptly to any security incidents.