Thanks for helping keep MakeReady and its users safe.

Please do not open a public GitHub issue for security problems.

Email dev@guccigunclub.com with:

• A description of the issue
• Steps to reproduce, or a proof of concept
• The impact you think it has (what could an attacker do?)
• Your GitHub handle, if you'd like credit in the fix

Expect an acknowledgement within a few days. This is a volunteer-run community project, so response times are best-effort, not SLA-grade.

In scope:

• Authentication bypass or session handling flaws
• Broken Row-Level Security (data visible across clubs, users, matches, etc.)
• Injection (SQL, XSS, server actions)
• Privilege escalation (shooter gaining MD/admin access, or similar)
• Sensitive data exposure (PII, tokens, unintended publics)
• CSRF, clickjacking, or other request-forgery issues

Out of scope:

• Issues that require physical access to an unlocked device the attacker already owns
• Denial-of-service via naive resource exhaustion
• Reports generated purely by automated scanners without a working proof of concept
• Social-engineering attacks against match directors or shooters

• Run automated scans, fuzzers, or exploit tooling against makereadyapp.com — that's the live site with real user data
• Access, modify, or exfiltrate data that isn't yours
• Publicly disclose the issue before we've had a chance to respond

If you want to test a proof of concept, spin up your own Supabase project and run a local or self-hosted instance — see docs/self-hosting.md.

Researchers who follow this policy and report in good faith will be credited in the fix (unless you prefer anonymity). There's no bug bounty program — this is a volunteer community project — but your work will be visible and appreciated.