We take security and user trust seriously. Please use the private channels below to report vulnerabilities so we can assess and remediate before public disclosure.
- Preferred: Open a private advisory via GitHub’s “Report a vulnerability” link for this repository.
- Alternative: Email
security@shipsec.aiwith a clear subject (e.g.,Vulnerability report: <area>).
Please include:
- Affected area (frontend, backend, worker, shared package) and commit/branch if known.
- Reproduction steps or proof-of-concept.
- Impact assessment (confidentiality/integrity/availability) and any prerequisites.
- Suggested fixes or mitigations if you have them.
We aim to acknowledge new reports within 3 business days and provide an initial remediation plan or timeline within 10 business days.
- Do not test against production data you do not own. Avoid actions that degrade availability.
- Respect privacy and data integrity; use test tenants/accounts where possible.
- No bounties are currently offered; coordinated disclosure credit is provided in release notes when applicable.
- Never include real secrets or tokens in issues, PRs, or logs. Use
.env.examplefor new configuration keys and follow existing patterns for secret management.