Security Policy

Reporting

Do not publish a suspected vulnerability, exposed secret, real identity document or private location in a public issue.

Contact the repository owner privately through an agreed security channel. Until a dedicated address is configured, use the owner’s verified private GitHub contact route and provide only enough information to establish the issue.

Scope

Security concerns include:

  • unauthorized evidence access;
  • account takeover;
  • privilege escalation;
  • public exposure of exact private locations;
  • forged verification status;
  • payment/webhook manipulation;
  • cross-provider data access;
  • insecure Android local storage;
  • secret leakage;
  • unsafe public Pages content.

Handling expectations

Reports should include affected component, steps, impact, evidence with sensitive data removed, and safe remediation ideas. Do not access, download or retain more data than necessary.

Supported versions

No production version is currently released. This policy will be updated at pilot and launch.

Public repository warning

Never commit production credentials or real verification material. Assume deleted Git history may remain accessible through clones or caches.