Eigen handles mail, files, documents, calendars, and other personal data. If you find a security issue, please report it privately — not via a public GitHub issue or pull request.

Two ways, preferred first:

• GitHub private vulnerability reporting: Report a vulnerability.
• Email: reinder@eigen.is.

I aim to acknowledge reports within a week and share a rough timeline for a fix once triaged. Critical issues affecting user data are prioritized; lower-severity issues may take longer. Eigen is a side project with a single maintainer, so response times may vary — especially around holidays. If you haven't heard back within two weeks, please send a follow-up email.

In scope:

• The Eigen server (apps/api/) and any of its endpoints
• The shipped frontend apps (apps/*)
• The default Docker deployment (docker/, docker-compose.yml, Caddyfile)
• Shared packages (packages/lib, packages/ui, packages/sheet)

Out of scope:

• Issues that require physical access to the server, a compromised admin account, or a compromised user device
• Known issues in third-party dependencies that are already tracked upstream (please report those upstream)
• Self-inflicted misconfiguration (weak DKIM keys, exposed admin endpoints, disabled HTTPS, leaked secrets, etc.)
• Denial of service from a single authenticated user against their own account

Eigen is still pre-1.0 and moves fast. Only the main branch is actively maintained. If you're running something older, the first step is always to update.

Once a fix is available, I'll credit reporters in the release notes unless you'd prefer to stay anonymous. Please give a reasonable disclosure window (at least until a fix ships) before making details public.