Please report vulnerabilities privately:
- Email:
security@maild.click(replace if needed) - Or GitHub private vulnerability reporting if enabled
Do not post exploit details in public issues.
- Initial acknowledgement: within 72 hours
- Triage decision: within 7 days
- Fix timeline depends on severity and exploitability
Highest priority areas:
- credential storage and secret handling
- SMTP auth/session security
- unsubscribe/suppression bypasses
- tenant/workspace isolation
- webhook signature validation
Good-faith security research is welcome. Avoid privacy harm, service disruption, and data exfiltration.