StackRivet is pre-1.0. Security fixes land on main and ship in the next release. Please test against the latest release or main before reporting.

Do not open a public issue, pull request, or discussion for a security problem. Public disclosure before a fix puts every user at risk.

Report privately through either channel:

• GitHub — open a private advisory via the repository's Security → Report a vulnerability tab (GitHub Private Vulnerability Reporting).
• Email — open@zkthink.com with the subject SECURITY: stackrivet-admin-ui.

Please include:

• affected version / commit;
• a description of the issue and its impact (e.g. XSS, token handling, CSRF, permission bypass in the UI);
• reproduction steps or a proof of concept;
• any suggested remediation.

Note that the admin UI is a client; access control is ultimately enforced by stackrivet-server. Report server-side authorization issues against that repo.

• Acknowledgement within 3 business days.
• Initial assessment (severity, affected versions) within 10 business days.
• We will keep you informed of progress and coordinate a disclosure timeline with you. With your permission we credit reporters in the release notes.

In scope: the code in this repository. Out of scope: third-party dependencies (report upstream; we will bump once a fix is released), and the security of your own deployment configuration.