Please email dotkboy@outlook.com (or dotkboy@outlook.com) with details and a minimal PoC if possible. We’ll acknowledge within 5 business days and aim to provide a triage decision within 10 business days.

• Code in this repository and released artifacts.
• Not in scope: third-party dependencies, Docker images we don’t publish.

We won’t pursue legal action for good-faith vulnerability research that:

• respects our Noncommercial license,
• avoids data exfiltration and privacy violations,
• does not degrade or disrupt other users,
• and gives us a reasonable remediation window (default 90 days) before public disclosure.

We don’t run a bounty program at this time; we may acknowledge reporters publicly upon request after a fix is released. dotkboy@outlook.com