Please do not open a public GitHub issue.
Report vulnerabilities privately through GitHub's Report a vulnerability form (the Security tab on the repository).
If GitHub's form is unavailable, email security@vidit.app (no exploit details) to request an alternate channel.
- A clear description of the vulnerability and its impact.
- A minimal proof-of-concept or reproduction steps.
- The affected version / commit SHA / endpoint.
- Optional: your suggested fix.
| Stage | Target |
|---|---|
| Initial acknowledgement of the report | within 7 days |
| Triage + fix | best-effort, in the advisory |
| Public disclosure after a fix ships | within 90 days of fix release |
Reporters are credited in the advisory's Credits field on request; say so in the report if you prefer anonymity.
In scope:
- Production application code under
backend/andfrontend/. - Database schema and migrations under
backend/alembic/. - CI / CD workflow files under
.github/workflows/. - The deployed instance at
https://vidit.app/https://api.vidit.app(cap testing at 5 req/s).
Out of scope:
- Rate limiting on a self-hosted deployment. Configured values aren't security boundaries for self-hosters.
- Social-engineering attacks on the maintainer or attempts to compromise maintainer accounts (report to the relevant provider).
- Findings that require physical access to a user's device or a privileged position on the user's network.
- Automated-scanner findings with no demonstrated impact (
X-Frame-Optionsmissing on a public marketing page,Server:header disclosure, etc.). - Volumetric DoS (load-test traffic); application-layer DoS via a specific code path is in scope.
Good-faith research following this policy will not be pursued legally. Please:
- Stop and report the moment you confirm a vulnerability — do not exfiltrate data, modify other accounts, or pivot further.
- Do not access, modify, delete, or test against data or content that isn't yours.
If you accidentally access user data: stop, report, and do not retain copies.