Only the latest versions of Stack's server and client packages are supported. We do not provide security updates for older versions.

If you would like to get security consulting regarding older versions of on-prem or self-hosted deployments of Stack, please contact us.

Stack Auth practices responsible disclosure. This helps us protect our users, but requires your cooperation.

Please disclose security vulnerabilities responsibly by emailing us at security@stack-auth.com. In this case, we will get back to you within 96 hours, and aim to get a fix released as soon as possible. We will disclose the issue publicly after at most 90 days.

Hence, we ask you not to publicize issues until the 90 days deadline is over. Also, please do not create GitHub issues with security vulnerabilities; instead, email us directly at the address above.