This security policy is effective as of 2026-03-12.

If you believe you have found a security vulnerability in this repository you can report it to us using private vulnerability reporting.

If you are unable to file a report via the above mechanism or want to report vulnerabilities of any other GitButler service or application, please email us at security@gitbutler.com instead.

Please do not report security vulnerabilities through public GitHub issues, discussions, pull requests or any other publicly accessible format.

Thanks for helping make GitButler safe for everyone.

We are committed to keeping our application safe and therefore offer rewards for certain vulnerability reports.

Reports of vulnerabilities in a released version of the GitButler application or any related GitButler service with a demonstrable attack vector qualify for a bug bounty of at least $100.

Non-exploitable vulnerabilities may qualify for a reward, but the rewards program does not guarantee a reward if an exploit cannot be demonstrated.

GitButler offers no "Long Term Support" (LTS) releases at this time. Security fixes are not backported. To keep your system secure, please stay up-to-date with our releases.