Only the latest version of Forge running in production receives security updates. There are no prior versions to support as Forge is a continuously deployed web application.

If you discover a security vulnerability within Forge, please email Refringe at me@refringe.com. Please do not open a public issue for security vulnerabilities.

You can expect an initial response within 48 hours acknowledging your report. All security vulnerabilities will be promptly addressed.

Forge is a community-driven, open-source project and does not offer a bug bounty program. We appreciate responsible disclosure and will credit reporters in the fix commit where appropriate.