Thanks for helping keep MakeReady and its users safe.

Please do not open a public GitHub issue for security problems.

Email dev@guccigunclub.com with:

• A description of the issue
• Steps to reproduce, or a proof of concept
• The impact you think it has (what could an attacker do?)
• Your GitHub handle, if you'd like credit in the fix

Expect an acknowledgement within a few days. This is a volunteer-run community project, so response times are best-effort, not SLA-grade.

In scope:

• Authentication bypass or session handling flaws in the Supabase sync path
• Issues with the master / scoring pad sync server that could let an unauthorized device read or write match data over the local network
• Broken Row-Level Security (cloud-side data visible across clubs, users, matches)
• Data leakage from the local SQLite database beyond the app sandbox
• Sensitive data exposure (PII, auth tokens, unintended publics)
• Privilege escalation (RO gaining MD capabilities, or similar)

Out of scope:

• Issues that require physical access to an unlocked tablet the attacker already owns
• Automated scanner output without a working proof of concept
• Match-day social engineering against MDs or ROs
• Rooted-device attacks on data that's protected by OS-level sandboxing

• Attack the production Supabase project (the backend of makereadyapp.com) — spin up your own Supabase project for testing
• Run automated scans, fuzzers, or exploit tooling against devices you don't own
• Publicly disclose the issue before we've had a chance to respond

Researchers who follow this policy and report in good faith will be credited in the fix (unless you prefer anonymity). There's no bug bounty program — this is a volunteer community project — but your work will be visible and appreciated.