We currently support the following versions with security updates:
| Version | Supported |
|---|---|
| 3.4.x | ✅ |
| <=3.3 | ❌ |
Leantime takes security seriously. If you discover a security vulnerability, please follow these steps:
- Do NOT disclose the vulnerability publicly
- Email security@leantime.io with details about the vulnerability
- Allow up to 48 hours for an initial response
- Work with us to resolve the issue before any public disclosure
For more information, visit our Responsible Disclosure Policy
Once a disclosure has been accepted and fixed in a version we will wait for at least 2 version updates before disclosing to give people enough time to update. That means if a vulnerability was discovered in 2.4.1 and then fixed in 2.4.2 it will not be disclosed until we release 2.4.4.
When deploying Leantime:
- Always use Hypertext Transfer Protocol Secure
- Keep PHP and all dependencies up to date
- Enable two-factor authentication
- Use strong passwords
- Regular backups
We thank all of you for your dedication to the craft. At this point we cannot offer any monetary rewards for disclosed vulnerabilities.