If you discover a security issue in Daybreak, please report it privately, do not file a public GitHub issue.

Email: kostac@hey.com

Please include:

• A description of the issue and its impact.
• Steps to reproduce (or a proof-of-concept).
• The version / commit hash you tested against.

I'll acknowledge receipt within a few days and work with you on a fix and disclosure timeline.

Daybreak is a single-user self-hosted app. The most relevant concerns are:

• OAuth token handling for Basecamp and HEY.
• Rails credentials / master key storage.
• Any path that handles user-supplied content from Basecamp or HEY payloads.

• Vulnerabilities that require a compromised host machine or valid Basecamp admin credentials.
• Missing rate limiting on a single-user app.
• CSRF/XSS reports generated by automated scanners without a demonstrable impact.

Security research is appreciated. Responsible disclosure helps everyone who self-hosts Daybreak.