VVibeFlui

Security Reporting

Do not publish sensitive security reports in public issues.

What counts as sensitive

Use a private maintainer channel for reports involving:

  • Authentication or authorization bypass.
  • Token, cookie, or session exposure.
  • Private API credentials.
  • Cross-site scripting or unsafe rendering.
  • Package supply-chain concerns.
  • A vulnerability that affects production users.

What to include

Include enough detail for maintainers to reproduce the issue safely:

  • A short summary.
  • Affected package and version.
  • Minimal reproduction steps.
  • Expected security boundary.
  • Actual behavior.
  • Whether the issue is public, private, or already exploited.
  • Suggested mitigation, if known.

What not to include

Do not include:

  • Live access tokens.
  • Seed phrases.
  • Private keys.
  • Customer data.
  • Production-only exploit scripts.

Use sanitized examples wherever possible.