Please do not report security vulnerabilities through public GitHub issues.

To report a vulnerability privately:

1. Open a GitHub Security Advisory in this repository.
2. Provide a clear description of the issue, steps to reproduce, and potential impact.

We aim to acknowledge reports within 48 hours and provide a fix or mitigation within 14 days for critical issues.

• We follow coordinated disclosure.
• We will credit reporters in release notes unless they prefer to remain anonymous.

• Always set a strong, unique JWT_SECRET (see docs/security/secrets.md).
• Run behind a reverse proxy (nginx, Caddy, Cloudflare) with TLS in production.
• Restrict database access to the API container only.
• Rotate secrets regularly and after any suspected compromise.
• Keep Node.js and dependencies up to date (npm audit).