We provide security fixes for the latest major release of each repository. Older versions are not actively patched, but security advisories will note whether backports are feasible.

Please do not open a public GitHub issue for security vulnerabilities.

Report vulnerabilities privately by emailing info@magendoo.ro with:

• Repository name and affected version(s)
• A clear description of the vulnerability
• Steps to reproduce or a proof-of-concept (if available)
• Potential impact assessment

• Acknowledgement within 3 business days.
• Assessment and a preliminary response within 7 business days.
• Fix or mitigation coordinated with you before any public disclosure.
• Credit in the release notes if you wish to be acknowledged.

These projects interact with Magento 2 / Adobe Commerce stores and may handle customer PII, order data, and payment information indirectly. Vulnerabilities in the following areas are of highest priority:

• Authentication bypass or privilege escalation
• PII exposure (especially in magemcp PII redaction logic)
• SQL injection or improper query parameterization in Go database layers
• Insecure default configuration

• Vulnerabilities in Magento 2 core, Adobe Commerce, or third-party dependencies — report those upstream.
• Issues requiring physical access to infrastructure.
• Theoretical vulnerabilities with no practical exploit path.

We follow coordinated disclosure. We ask that you give us reasonable time to address the issue before making any public disclosure.