If you discover a security vulnerability in Godot Launcher, please do not open a public issue.
Instead, report it responsibly by emailing:
Please include:
- A detailed description of the vulnerability.
- Steps to reproduce the issue.
- Potential impact.
- Any suggested mitigation or patch (optional but appreciated).
We aim to respond within 72 hours and provide a fix within 7–14 days, depending on severity.
| Version | Supported |
|---|---|
| Latest release | ✅ |
| Older versions | ❌ (not maintained) |
We only patch the latest stable release.
This policy applies to:
- The Godot Launcher application
- Godot version manager code
- Editor settings handling logic
- Update system
- All scripts in the main GitHub repository
It does not apply to:
- External tools like Git or VSCode
- The Godot engine itself (report those to Godot's issue tracker)
- Vulnerability reported privately
- Acknowledgement from maintainer
- Investigation and patch creation
- Coordinated disclosure (if needed)
- Public security advisory on GitHub
We may credit responsible disclosures in our release notes or a SECURITY_CREDITS.md file, if permission is granted.