The main branch is actively maintained. Older tags may not receive security updates.
Please DO NOT create a public GitHub issue for security problems.
Instead:
- Email: security@rotur.dev (if available) or open a private advisory (GitHub Security Advisories).
- Provide details: affected endpoints, reproduction steps, potential impact.
- Allow up to 72 hours for initial acknowledgement.
- Use only your own test data; do not exfiltrate real user data.
- Rate limiting / brute force testing should be minimal.
- Do not run automated scanners against production without permission.
- Auth bypass / privilege escalation
- Insecure direct object references
- Injection (JSON, path traversal, etc.)
- Data corruption or unauthorized persistence writes
- Lack of rate limiting on non-sensitive endpoints (unless leading to abuse)
- Missing security headers (unless causing practical exploitability)
- The presence of public test/demo credentials (none should exist; report if you find one)
Thanks for helping keep users safe.