If you find a security vulnerability in our code, do not make an issue for it. Instead, go to the Security tab and report it there so it's not visible to the public.
Creating a report is easy, here is a guide with images to help.
-
Go to the security tab.
-
Click the advisories button.
-
Click the button that says to create a new draft.
Important
PLEASE have GitHub assign a CVE ID to your report. Make sure the CVE Identifier dropdown says to assign one later. 
Then once the report is made, click Request CVE 
Then a popup will ask if you really want to. Click the Request button. 
A few minutes (or possibly hours) later, you should get a comment saying "GitHub has issued CVE-{current year}-XXXXX for this Security Advisory after reviewing it for compliance with CVE rules. Once you've published your Security Advisory, we'll publish the CVE to the CVE List.
Thank you for making the open source ecosystem more secure by fixing and responsibly disclosing this vulnerability."
- .env files - These are for firebase, and we have controls so that the production database can't be accessed when not on our vercel hosting
- .yml or .yaml files - These are actions for GitHub.