Older versions are not supported. Please upgrade to the latest 1.x release before reporting a vulnerability.

Do not open a public GitHub issue for security vulnerabilities.

Report vulnerabilities privately via GitHub Security Advisories. We aim to acknowledge reports within 72 hours and to provide a fix or mitigation within 14 days for confirmed critical issues.

A useful report contains:

• Description — what the vulnerability is and what an attacker could achieve
• Affected component — e.g. EventStore, CQRS, Document Store, DI registration
• Reproduction steps — the minimal code or configuration to trigger the issue
• Chronicles version and .NET version
• Impact assessment — your estimate of severity (CVSS score if possible)
• Suggested fix (optional but appreciated)

We will coordinate disclosure with you and credit you in the release notes unless you prefer to remain anonymous.