StackRivet is pre-1.0. Security fixes land on main and ship in the next release. Please test against the latest release or main before reporting.

Do not open a public issue, pull request, or discussion for a security problem. Public disclosure before a fix puts every user at risk.

Report privately through either channel:

• GitHub — open a private advisory via the repository's Security → Report a vulnerability tab (GitHub Private Vulnerability Reporting).
• Email — open@zkthink.com with the subject SECURITY: stackrivet-server.

Please include:

• affected version / commit, and the module (e.g. stackrivet-security, stackrivet-asset);
• a description of the issue and its impact;
• reproduction steps or a proof of concept;
• any suggested remediation.

• Acknowledgement within 3 business days.
• Initial assessment (severity, affected versions) within 10 business days.
• We will keep you informed of progress and coordinate a disclosure timeline with you. With your permission we credit reporters in the release notes.

In scope: the code in this repository. Out of scope: third-party dependencies (report upstream; we will bump once a fix is released), and the security of your own deployment configuration (secrets, network exposure, OS hardening). See .env.example and the deployment docs for hardening guidance.