Please email security@getmunin.com with details. Do not open a public issue for security reports.
We aim to acknowledge within 72 hours and provide a remediation timeline within 7 days for confirmed issues.
In scope:
- Munin backend (NestJS app, MCP server, OAuth server, REST API)
- Munin web (Next.js dashboard/landing)
- Munin packages (
@getmunin/*) - Default Docker compose self-host configuration
Out of scope:
- Third-party services and your hosting provider — report to those vendors directly
- Customer-side AI runners and integrations