Security

Reporting a vulnerability

If you find a security issue, please email [email protected] with reproduction steps. We aim to acknowledge within 48 hours and fix or coordinate disclosure within 30 days for critical issues.

Machine-readable: /.well-known/security.txt

Safe harbor

We will not pursue legal action against researchers who:

In scope

Out of scope

What we run

End-to-end TLS via Cloudflare, Caddy auto-renewing Let's Encrypt certs, payload encryption at rest (AES-256-GCM), Argon2id password hashing where applicable, OAuth tokens encrypted at rest, hardened sshd (key-only, no root, /29-only ingress), ufw + fail2ban, auditd, automated dependency upgrades via Dependabot + weekly pnpm audit, gitleaks + Semgrep on every PR.