If you discover a security vulnerability, please report it responsibly.

Do NOT open a public issue.

Instead, please email or contact directly:

• Email: ad13dtu@gmail.com
• GitHub: @apoorvdarshan
• Twitter/X: @apoorvdarshan

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: within 48 hours
• Assessment: within 1 week
• Fix: as soon as possible, depending on severity

This policy covers:

• The serverless API (api/merge.ts)
• The landing page (public/index.html)
• Dependencies and deployment configuration

• GITHUB_TOKEN: Required for API access. Never exposed to the client. Set as a server-side environment variable only.
• User input: Usernames are validated against GitHub's format before use. Max 10 users per request.
• No user data storage: The tool does not store any user data. All caching is ephemeral in-memory with a 5-minute TTL.
• No authentication: The tool is read-only and only fetches public contribution data.
• SVG output: Generated SVGs use escaped text content to prevent XSS injection.

Thank you for helping keep this project and its users safe.