Endpoint content in endpoints/ is subject to automated guardrails so that only safe, Code-of-Conduct–compliant content is merged. We use the OpenAI Moderation API to inspect newly added strings in pull requests. Content classified as harmful under any of the API’s content classifications is rejected — the moderation check fails and the PR cannot be merged until the content is changed or removed.

Categories we inspect include: harassment, harassment/threatening, hate, hate/threatening, illicit, illicit/violent, self-harm, self-harm/intent, self-harm/instructions, sexual, sexual/minors, violence, and violence/graphic. For full definitions, see Moderation | OpenAI API. This supports our Code of Conduct and keeps the API safe for a broad audience.

Security fixes are applied to the actively maintained branch of DOaaS. Older releases receive fixes only when the backport effort is low and the issue is high severity.

If you are running an older commit or a fork and cannot upgrade, please highlight that in your report so we can discuss options.

Please do not open a public GitHub issue or discussion for security vulnerabilities.

Instead, use one of the following private channels:

• GitHub Security Advisories: New advisory
• Email: samer.farida@yahoo.com

When reporting, please include as much detail as possible:

• Proof-of-concept or reproduction steps
• Affected commit SHA or release tag
• Impact assessment and suggested mitigations, if known
• Preferred contact information and availability

If you require encryption, mention it in your report and we can provide an OpenPGP key over email.

• Acknowledgement: We aim to acknowledge receipt within 2 business days.
• Initial assessment: We will triage and respond with initial findings or questions within 5 business days.
• Remediation plan: For confirmed issues, we will coordinate on a fix, testing, and target release timeline. We may request additional information to reproduce or validate the issue.
• Coordinated disclosure: We prefer coordinated disclosure so users can patch before details are public. We will agree on a disclosure window (typically 30–90 days, depending on severity) and keep you updated on progress.

If you believe a vulnerability is being actively exploited or needs immediate attention, please mark your report as URGENT and include a reachable contact method.

We value legitimate security research. When you follow this policy and report issues responsibly, we will not pursue legal action or DMCA claims against you. Please:

• Avoid privacy violations, service degradation, or destruction of data
• Respect rate limits and always obtain consent before testing on systems you do not own

Thank you for helping keep DOaaS and its users safe. We take security seriously so you can keep DOaaS-ing without worry.