This project is under active development. Security reports are welcome for:

• authentication and admin protection,
• secret storage and runtime configuration,
• email delivery and token handling,
• exposed API routes,
• Docker and deployment defaults.

Please do not open a public issue for a suspected vulnerability.

Instead, contact the maintainer privately with:

• a short description of the issue,
• the impact,
• reproduction steps,
• affected files or endpoints,
• any suggested remediation if available.

A report should be acknowledged quickly, then triaged before public disclosure.