Security fixes are provided for the latest released version.

If you discover a security issue, please avoid opening a public issue with exploit details. Contact the maintainer privately first and include a clear description, affected version or commit, and reproduction steps where possible.

Expected response process:

• Acknowledge the report as soon as practical.
• Reproduce and assess impact before public disclosure.
• Prepare a fix and release notes.
• Credit the reporter if they want to be credited.

• Use a long random API_KEY.
• Deploy Snapshot behind HTTPS.
• Keep uploads and logs out of version control.
• Restrict CORS_ORIGINS and ALLOWED_HOSTS in production.
• Set ENVIRONMENT=production after replacing placeholder values.
• Rotate secrets after accidental exposure.

Reports involving authentication bypass, path traversal, unsafe file handling, stored file exposure, container privilege issues, or dependency vulnerabilities are especially valuable.