Security reports should focus on starter-managed platform surfaces, including:
- authentication and protected admin access
- permission gates and operator session handling
- provider-backed settings and secret handling
- payment, notification, and storage runtime integrations
- multi-tenant organization boundaries and data exposure risks
- admin and runtime APIs
Please do not open a public GitHub issue for security vulnerabilities.
Instead, report security issues privately to:
security@logicm8.com
Replace this placeholder with your real security contact before publishing the repository.
Please include as much of the following as possible:
- affected version or commit
- reproduction steps
- expected versus actual behavior
- impact assessment
- proof of concept, logs, or screenshots if safe to share
- whether the issue may affect tenant isolation, secrets, payments, or authentication
Target response goals:
- initial acknowledgment within 3 business days
- triage decision within 7 business days
- coordinated disclosure timeline after validation
We prefer responsible disclosure. After validation, we will coordinate on:
- severity
- fix timeline
- release timing
- whether public credit should be given
We will not pursue action against good-faith security research that:
- avoids privacy violations and service abuse
- avoids destructive actions or data exfiltration beyond what is necessary to demonstrate the issue
- gives us a reasonable chance to fix the issue before public disclosure