If you believe you've identified a security vulnerability in Mastodon (a bug that allows something to happen that shouldn't be possible), send an email to security@joinmastodon.org.
You should not report such issues on GitHub or in other public spaces to avoid exposing Mastodon's users to increased risk.
A "vulnerability in Mastodon" is a vulnerability in the code distributed through our main source code repository on GitHub. Vulnerabilities specific to ElonSucks.org (e.g. misconfiguration) should be reported at https://github.com/elon-sucks/elonsucks.org/security/advisories
| Version | Supported |
|---|---|
| 4.0.x | Yes |
| 3.5.x | Yes |
| < 3.5 | No |