Security

SECURITY.md

Security Policy

Reporting

Report vulnerabilities privately. Do not open public issues for active vulnerabilities.

Primary contact: GitHub private security advisory on this repository
Alternate: open a GitHub security advisory if direct contact is not available

Include:

affected versions/commits
reproduction steps or proof of concept
impact assessment
suggested mitigation

Response Targets

Acknowledge within 72 hours
Initial triage within 7 days
Remediation/disclosure plan after validation

Coordinated Disclosure

Please wait for a fix or agreed mitigation window before public disclosure.

Scope

In scope:

Authentication and session handling
Authorization bypass (accessing other users' data)
Input validation and injection vulnerabilities
Data exposure

Out of scope:

Denial of service against the live service
Social engineering
Issues requiring physical access

There aren't any published security advisories