Please do not open public GitHub issues for security bugs.

Use GitHub's private vulnerability reporting form on this repository:

Repo → Security → Report a vulnerability

Or email sir.jeff.nasseri@gmail.com with the subject prefix [agelo-server security].

Include:

• A short description of the issue and its impact
• Steps to reproduce or a proof-of-concept
• Affected versions / commits if known
• Whether the issue is currently public

• An acknowledgement within 72 hours.
• A triage decision and a target fix window within 7 days.
• A coordinated disclosure: we'll keep you in the loop until a patched release lands and a security advisory is published.

Until Agelo cuts its first stable release, only master is supported. Older tags do not receive security fixes — please upgrade.

• Volumetric / denial-of-service findings against the public demo
• Issues that require physical access to the host
• Self-XSS that needs the user to paste arbitrary code into devtools
• Vulnerabilities in transitive dependencies that already have a public advisory and a fix in master

Thank you for helping keep Agelo safe.