Please do not open public GitHub issues for suspected vulnerabilities.

Preferred reporting methods:

1. GitHub Security Advisories (private vulnerability report).
2. Email: esareesingh@gmail.com.

Please include:

• A clear description of the issue and affected area.
• Reproduction steps or proof-of-concept.
• Impact assessment (what an attacker could do).
• Any suggested remediation if available.

• Initial acknowledgement target: within 3 business days.
• Status updates: provided during triage/remediation.
• Public disclosure: after a fix is available and users have had reasonable time to update.

• API route bodies are validated with strict Zod schemas (.strict()), so unknown fields are rejected.
• tool_id/slug inputs are trimmed, length-limited (<= 80), regex-constrained (^[a-z0-9-]+$), and must exist in the tool registry before write operations.
• Reports text fields are sanitized to plain text before storage to reduce stored XSS risk.
• Supabase service-role usage remains isolated to server-only modules; static tests guard against client imports of server modules and service-role env leakage.