If you wish to receive security updates then please subscribe to the rclone announce group, this is a low volume announcement list for security updates, releases and other important information.
If you discover a security vulnerability in the rclone project, please follow these steps:
- Do Not Publicly Disclose: Do not raise an issue in the public issue tracker or disclose the vulnerability publicly until it has been resolved.
- Use GitHub's Reporting Interface:
- Navigate to the GitHub Security Advisories page for rclone.
- Provide a detailed description of the issue, including steps to reproduce it if possible.
- If you are unable to do the above, then please send the details to [email protected]
We will acknowledge receipt of your report within 48 hours and provide updates as we investigate and address the issue.
The following versions of rclone are currently supported with security updates:
| Version | Supported |
|---|---|
| Latest release | ✅ Yes |
| Older releases |
We only apply security fixes to the latest version and the latest beta of rclone.
- Investigation: The security team investigates the report and assesses its impact.
- Fix Development: A patch is developed in a private branch to resolve the issue.
- Testing: The fix undergoes thorough testing to ensure it resolves the vulnerability without introducing regressions.
- Public Release: The patch is merged, and a new release is published.
- Disclosure: A public advisory is issued detailing the vulnerability and its resolution.
To protect the users of rclone, we request that you adhere to the following responsible disclosure guidelines:
- Allow sufficient time for the issue to be addressed before discussing it publicly.
- Work with us to verify the fix and ensure the vulnerability is resolved.
Thank you for helping to keep rclone secure!