Please report security vulnerabilities through GitHub's private vulnerability reporting.

Do not open a public issue for security vulnerabilities.

In scope:

• Server (apps/frontman_server/)
• Client libraries (libs/)
• Protocol layer (libs/frontman-protocol/)

Out of scope:

• Marketing website (apps/marketing/)
• Dogfooding app (apps/dogfooding/)
• Infrastructure configs (infra/)

• Acknowledgment: Within 48 hours of report
• Fix target: Within 90 days of confirmation
• Disclosure: Coordinated disclosure after a fix is available — no public disclosure before then