Do not open a public issue for unfixed security problems.

Report vulnerabilities through GitHub Security Advisories for this repository (private disclosure). If that is unavailable, contact the maintainers with enough detail to reproduce and assess the issue.

Reports should concern this repository (TinyOps core) and its documented deployment paths. Third-party dependencies or misconfiguration of your host (exposed Docker socket, weak AUTH_KEY, open API without network controls) are generally out of scope unless TinyOps could reasonably prevent or warn about them in code or docs.

We will acknowledge serious reports when we can. There is no SLA; this is a volunteer-maintained open source project.