| Version | Supported |
|---|---|
main |
✅ Active development |
| Older tags | Best-effort |
Please do not open public issues for security bugs.
- Use GitHub Security Advisories (preferred), or
- Email the maintainer via GitHub profile contact (no public disclosure until fixed).
Include: description, reproduction steps, impact, and suggested fix if any.
We aim to acknowledge within 7 days and ship a fix or mitigation when confirmed.
In scope:
- Authentication bypass on
/api/cron/* - Secret exposure in client bundles or logs
- SQL injection / unsafe DB access
- Rate-limit bypass leading to resource exhaustion on hosted instances
Out of scope:
- Denial of service against third-party APIs (GitHub, Product Hunt)
- Issues in dependencies without a practical exploit path (report via Dependabot)
Never commit .env. Run gitleaks detect --config .gitleaks.toml before releases. See docs/SECRET_AUDIT.md.