If you discover a security issue in this repository, please report it responsibly.

Contact: keith@keithcrawford.me
Web: keithcrawford.me/connect
GPG Key: Public Key (Key ID: 0xC4C53435)
Preferred Language: English

This repository contains code that is deployed or distributed. Security reports are welcome for:

• Authentication or authorization flaws
• Injection vulnerabilities (XSS, SQLi, command injection)
• Secrets, credentials, or API keys committed to the repository
• Dependency vulnerabilities with a known exploit path
• Server-side request forgery (SSRF) or insecure direct object references

Out of scope: Theoretical vulnerabilities without a demonstrated exploit path, social engineering, and denial-of-service attacks.

• Reports are acknowledged within 48 hours.
• Valid findings are addressed promptly. Fixes are prioritized by severity and exploitability.
• Responsible disclosure is appreciated. Please allow reasonable time for remediation before public disclosure.

If you report a valid finding and wish to be credited, let us know in your report. Credit is given in the fix commit or release notes unless you prefer to remain anonymous.