We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

You can report security vulnerabilities through:

1. GitHub Security Advisory (Preferred)

   • Go to the Security tab of this repository
   • Click "Report a vulnerability"
   • This allows private discussion until a fix is ready

2. Email

   • Send details to: security@lerian.studio
   • PGP key available for encrypted communications
   • We recommend Mailvelope for email encryption

Please do NOT disclose the vulnerability publicly until we have addressed it.

1. Initial Contact: You submit vulnerability via GitHub Advisory or email
2. Acknowledgment: We confirm receipt within 24 hours
3. Verification: Our security team verifies the vulnerability
4. Assessment: We determine severity and potential impact
5. Resolution: We develop and deploy a fix
6. Notification: We inform you of the resolution
7. Public Disclosure: We coordinate with you to disclose responsibly

We recommend always running the latest version.

• Authentication and authorization vulnerabilities
• Data exposure or leakage
• Injection vulnerabilities (SQL, command, etc.)
• Cryptographic issues
• Business logic flaws

• Denial of service (DoS) attacks
• Social engineering
• Physical security
• Issues in dependencies (report to upstream)

When deploying this application:

• Never hardcode secrets - Use environment variables or secrets management (e.g., HashiCorp Vault)
• Keep updated - Regularly update to the latest version
• Secure configuration - Follow our documentation for secure setup
• Network security - Use TLS, firewalls, and network segmentation
• Access control - Apply principle of least privilege

We appreciate security researchers who help keep our project secure. With your permission, we'll acknowledge your contribution in our release notes.

• Security Email: security@lerian.studio
• General Issues: Use GitHub Issues for non-security bugs
• Discussions: GitHub Discussions