Security fixes are provided for the latest release on the default branch. If you are running an older commit or a fork, please rebase/upgrade before reporting issues.
If you believe you have found a security vulnerability, please do not open a public GitHub issue.
Instead, report it privately by emailing:
Please include:
- A description of the issue and potential impact
- Steps to reproduce (proof-of-concept if available)
- Affected components (pages, API routes, packages)
- Any relevant logs, screenshots, or stack traces
- Your suggested fix or mitigation (optional)
We aim to:
- Acknowledge receipt within 3 business days
- Provide a status update within 10 business days
Timelines may vary depending on severity and complexity.
We prefer coordinated vulnerability disclosure. Please allow reasonable time for investigation and remediation before public disclosure.
This repository does not currently operate a public bug bounty. If that changes, it will be documented here.