If you have found a security issue in this project, please report it privately. Do not open a public GitHub issue.
Email: [email protected]
Please include:
- A clear description of the issue
- Steps to reproduce
- The version (commit SHA) you tested against
- Any proof-of-concept code or output
I respond to every report within 7 days. Confirmed issues are patched on main and released as a tagged version; reporters are credited in the release notes unless they request otherwise.
| Version | Supported |
|---|---|
main (latest commit) |
yes |
| 1.x tagged releases | yes |
| anything older | no |
Only the latest commit on main and the current 1.x release line receive security fixes. Pin to a tagged release if you need a stable version surface, and track main for patches.
This policy covers the code in this repository. Bugs in upstream dependencies should be reported to those projects directly.
- Issues in third-party services (Vercel, Supabase, GitHub, Cloudflare, etc.)
- Findings that require physical access to a developer machine
- Theoretical risks without a working proof of concept
- Denial of service against demo / hosted instances