If you discover a security vulnerability in CodeCaddy, please do not file a public Issue or Discussion.

Instead, email security@devbytes.cloud with:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested mitigation

We'll acknowledge receipt within 72 hours and provide a timeline for resolution.

CodeCaddy is a hosted SaaS, security fixes are deployed continuously to codecaddy.dev. There are no "old versions" to patch.

Security researchers who responsibly disclose vulnerabilities will be credited at codecaddy.dev/changelog (with their permission). We don't currently offer a paid bug bounty, but we're grateful for the work researchers do to keep our users safe.