Please do not open a public GitHub issue for security vulnerabilities.
To report a vulnerability, use GitHub's private vulnerability reporting on this repo:
- Go to the Security tab on the repo
- Click Report a vulnerability
- Fill out the advisory form
This sends the report directly to the maintainers and keeps the disclosure private until a fix ships.
- A description of the vulnerability and its impact
- Steps to reproduce, or a proof-of-concept
- Affected versions (MCP server, WordPress plugin, design-library plugin)
- Any suggested mitigation
We aim to acknowledge reports within a few business days. DiviOps is beta software — fixes ship via the next release cycle once verified, with a coordinated disclosure window if the issue warrants one.
Security fixes are applied to the latest release line only. Older releases are not patched.