If you discover a vulnerability in cyberscan, please report it privately rather than opening a public GitHub issue.

• GitHub: open a security advisory.

Please include:

1. A description of the issue and where in the code it lives.
2. Steps to reproduce (or a proof-of-concept payload).
3. The version / commit you tested against.

• We aim to acknowledge reports within 5 business days.
• We will keep you updated until a fix lands and a release is cut.
• Reporters who want public credit are listed in release notes.

• Cross-tenant data access (RLS bypass).
• Authentication bypass (JWT, API token, OIDC).
• Authorization bypass (role escalation).
• Server-side template injection / SSRF / RCE in the API or worker.
• Secret leakage (audit-log export, error messages, response bodies).

• Findings produced by a scan (scanners produce data; that data is the product).
• Deployments using the development defaults (dev-secret-change-me, admin@example.com / admin, CORS_ORIGINS=*).
• The vulnerable test targets (juice-shop, DVWA) bundled in compose for local testing.