We take security vulnerabilities seriously. If you discover a security issue in surf, please report it responsibly using one of the private channels below -- do not open a public GitHub issue.

Option 1 -- GitHub Security Advisory (preferred)

Report the vulnerability privately via GitHub's Security Advisory feature: https://github.com/barney-w/surf/security/advisories/new

Option 2 -- Email

Send details to security@barney-w.dev.

To help us triage and resolve the issue quickly, please include:

• A clear description of the vulnerability
• Step-by-step reproduction instructions
• The potential impact (e.g. data exposure, privilege escalation, denial of service)
• Any relevant versions, environments, or configurations affected

We aim to respond within 48 hours of receiving a report. After confirming the vulnerability, we will work on a fix and keep you informed of progress.

Once the vulnerability has been resolved, we will publish a GitHub Security Advisory to inform the community. We are happy to credit reporters who wish to be acknowledged.

Thank you for helping keep surf and its users safe.