Please report security issues privately, not in public GitHub issues.

Email: security@munewell.com

Include:

• A description of the issue and the affected component
• Reproduction steps or a proof-of-concept, if you have one
• Your assessment of the impact
• Any suggested fix (optional)

We will acknowledge your report within 5 business days, keep you posted on triage and remediation, and credit you in the release notes once a fix ships (unless you'd prefer to remain anonymous).

Munewell Community Edition is a single-user, self-hosted journal. The threat model assumes:

• The operator (you) is trusted
• The host running Docker is trusted
• Any reverse proxy you put in front of Munewell is trusted
• The browser used to install the PWA is trusted

In-scope issues:

• RCE, SSRF, or path-traversal bugs in the Next.js app
• SQL injection or other untrusted-input bugs against the SQLite DB
• Auth-bypass or privilege-escalation issues against the reminder endpoint or any other API route
• Web Push handling bugs (lost or duplicated subscriptions, payload injection)
• Supply-chain concerns in our dependency tree

Out of scope:

• DoS via traffic flooding (single-user app, exposure surface is whatever you choose to expose)
• Issues that require an attacker who already has shell access to the host or the container
• Outdated dependency reports without a working exploit path