If you discover a security vulnerability, please report it responsibly. Do not open a public issue.
Send an email to the repository owner with:
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fixes (optional)
You can also use GitHub's private vulnerability reporting to submit a report directly.
- Acknowledgment within 48 hours
- An assessment of the vulnerability within 7 days
- A fix or mitigation plan for confirmed vulnerabilities
The following are in scope:
- Authentication and session management (
src/app/api/auth/,src/lib/auth/) - Input validation and injection vulnerabilities
- Cross-site scripting (XSS)
- Server-side request forgery (SSRF)
- Information disclosure
- Issues in third-party dependencies (report these upstream)
- Denial-of-service attacks
- Social engineering
Only the latest version on the master branch is supported with security updates.