If you discover a security vulnerability in PhantomEye, please report it responsibly.

Email: [email protected]

What to include:

• Description of the vulnerability
• Steps to reproduce
• Affected version(s)
• Potential impact

Response timeline:

• Acknowledgement within 48 hours
• Status update within 7 days
• Fix or mitigation within 30 days for confirmed issues

Please do not:

• Open a public GitHub issue for security vulnerabilities
• Share vulnerability details publicly before a fix is released

The following are in scope for security reports:

• SQL injection or database manipulation
• Path traversal or file system access
• Code injection or command injection
• Authentication bypass (email credentials)
• Sensitive data exposure
• Denial of service via crafted input

The following are out of scope:

• Social engineering attacks
• Attacks requiring physical access
• Third-party feed availability or accuracy
• Issues in dependencies (report upstream)