Please report security issues privately via email:
Do not create a public issue for vulnerabilities. Include:
- Steps to reproduce
- Affected version/commit (if known)
- Impact assessment (what an attacker can do)
- Any suggested mitigations
- I will acknowledge receipt as soon as possible and investigate.
- No formal SLA is promised, but I aim to provide status updates while working on a fix.
- Once a fix is available, details may be published with credit to the reporter (optional).
This policy covers the pocket-server repository. For other related projects, please open a discussion in their respective repositories.