Please do not report security vulnerabilities through public GitHub issues.

Use GitHub's private Security Advisory feature to report vulnerabilities confidentially. This allows us to assess and patch the issue before it is publicly disclosed.

Include as much of the following as possible:

• Type of issue (e.g. SQL injection, path traversal, credential exposure)
• File paths and line numbers relevant to the issue
• Steps to reproduce
• Proof-of-concept or exploit code (if possible)
• Impact assessment

We aim to acknowledge reports within 48 hours and provide a fix or mitigation plan within 14 days for confirmed vulnerabilities.

Issues in scope:

• SQL injection or data exfiltration via the query or admin endpoints
• Authentication bypass on the X-API-Key middleware
• Path traversal via the /admin/file or /admin/browse endpoints
• Credential or secret exposure in logs or API responses

Issues out of scope:

• Vulnerabilities that require physical access to the server
• Denial of service via resource exhaustion (no SLA on the open-source project)
• Issues in dependencies — report those directly to the dependency maintainer