We take the security of Material for MkDocs seriously. If you believe you have found a security vulnerability in Material for MkDocs, we encourage you to report it to us responsibly.
Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.
Instead, please send a report to martin.donath@squidfunk.com with the following information:
- A description of the vulnerability and its potential impact.
- The steps required to reproduce the issue.
- Any relevant files, screenshots, or proof-of-concept code.
- Your name and contact information, if you would like to be credited.
We are committed to working with security researchers and our community to address vulnerabilities quickly and transparently. When you submit a report, you can expect the following:
- Acknowledgement within 3 business days of your report.
- Regular updates on our progress as we investigate and address the issue.
- Confidentiality – we will not share your personal information without your permission, and we ask that you keep the vulnerability confidential until we have had the opportunity to address it.
- Credit – we are happy to acknowledge your contribution once the vulnerability has been resolved, if you would like.
We release security fixes for the latest stable version of Material for MkDocs until its end-of-life date on November 5, 2026. We encourage all users to stay up to date with the latest release to ensure they benefit from all security patches.
After November 5, 2026, Material for MkDocs will no longer receive public security updates as part of standard maintenance.
Organizations with longer support requirements are welcome to contact us at martin.donath@squidfunk.com to discuss potential extended support options.
This policy applies to vulnerabilities in the Material for MkDocs codebase. If you discover a vulnerability in a third-party dependency, please report it to the maintainers of that project directly.
We take dependency security seriously. We are deliberate in our selection of third-party dependencies, and we actively monitor and update them to ensure Material for MkDocs remains on the latest stable versions. If you believe a dependency we use poses a security risk, feel free to bring it to our attention at martin.donath@squidfunk.com.