Please do not open a public GitHub issue for security vulnerabilities.

Open a private security advisory directly on GitHub. This is confidential and only visible to maintainers.

If you prefer email, contact the maintainer via their GitHub profile.

• A clear description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes

We aim to respond within 48 hours and will keep you informed of progress.

The following are in scope:

• apps/api — REST API endpoints (XSS, injection, auth bypass)
• packages/cli — CLI argument parsing and file access
• packages/scanner-core — Scanner rule logic
• apps/web — Next.js web application

Out of scope: third-party dependencies (please report those to their maintainers directly).

We follow coordinated disclosure. Once a fix is released, we will credit the reporter in the release notes (unless they prefer to remain anonymous).