Mertonon has cookie-session-based authentication only at this time and no nontrivial authorization system. Mertonon password policies are unenforced at this time. Mertonon will endeavor to be zero-trust and you'll be able to use a huge menagerie of authn things and do RBAC for authz but none of that is possible at this time. We're working on it.

We will use this space to tell you how to contact us for delayed ('responsible') disclosure when we have some security but Mertonon has no substantive security at this time so you'd just be telling us something we know already.