DO NOT OPEN A PUBLIC ISSUE. This is a commercial security product. Vulnerabilities in our code directly affect our customers' safety.

Email: security@rugmunch.io
PGP Key: [Available on request]
Response time: Within 24 hours
Disclosure: Coordinated disclosure after fix deployment (max 90 days)

• Type of vulnerability (RCE, auth bypass, data exposure, etc.)
• Affected endpoint/component
• Steps to reproduce
• Proof of concept (if available)
• Impact assessment

• Confirmation within 24 hours
• Regular status updates
• Credit in release notes (unless you request anonymity)
• Bug bounty at our discretion (contact us for current program details)

1. Never commit secrets — API keys, tokens, passwords, private keys go in environment variables only
2. Use .env (gitignored) for local development credentials
3. Sign your commits with GPG (git config commit.gpgsign true)
4. Review your own diffs before pushing — check for accidental credential exposure
5. Use branch protection — all changes to main must go through PR review
6. Run git-sync.py --dry-run before pushing to verify no secrets are staged

• Pre-commit hooks scan every staged file for secrets
• Pre-push hooks block force pushes and re-scan for secrets
• GitHub Actions CI runs secret scanning on every PR
• Dependabot monitors dependencies for known CVEs
• Production secrets stored in GitHub Secrets vault + environment variables
• Backend .env never committed (in .gitignore)