Please report vulnerabilities privately via GitHub Security Advisories ("Report a vulnerability" on the repository's Security tab). Do not open public issues for security reports.
You can expect an acknowledgement within 7 days. Please include reproduction steps and, when relevant, a minimal PST or attachment sample that triggers the issue (synthetic data only — never real mail content).
| Version | Supported |
|---|---|
| latest 0.x release | ✅ |
| older releases | ❌ |
PSTforge is alpha software; only the most recent release receives fixes.
We follow coordinated disclosure: we will work with you on a fix and agree on a publication date, normally within 90 days of the report.
PSTforge treats every PST and every attachment as hostile input: attachments are routed by magic bytes (not extension), archives are extracted member-by-member under expansion/count/ratio limits, Office macros are never executed, and extraction happens under a private temp root. Log output never contains message bodies, subjects, email addresses, or API keys. Findings that break any of these properties are in scope and appreciated.