Report vulnerabilities to security@bunny.dev (placeholder).
- Authentication is always required for session access
- URLs are pointers, never credentials
- CDP and VNC ports bind to 127.0.0.1 only
- Secrets are redacted before storage and streaming
- PTY children receive allowlisted environment only
Never commit: .env, secrets.enc, bunny.db, session cookies.