Please do not open public GitHub issues for security problems. Use one of the private channels below; the maintainer will respond within a reasonable window for a solo-maintained OSS project (typically a few days).

• Preferred: GitHub Security Advisories — open a private advisory at https://github.com/Velm14/runevault/security/advisories/new.
• Alternative: open a tracking issue titled Security: please contact me (without details), and the maintainer will reach out via the email on their GitHub profile.

When reporting, please include:

• A description of the issue and its impact.
• Steps to reproduce — ideally a minimal proof-of-concept.
• The commit SHA / version you tested against.
• Whether you've disclosed this to anyone else.

I'll credit reporters in the CHANGELOG.md entry that ships the fix unless you ask otherwise.

• Auth and session handling (pkg/auth/, pkg/api/auth.go, pkg/auth/middleware.go)
• Encryption of refresh tokens (pkg/db/crypto.go)
• Premium-key generation and redemption (cmd/keygen/, pkg/db/db.go key functions, pkg/api/keys.go)
• Rate limiting (pkg/api/ratelimit.go)
• Admin-IP allowlist (pkg/api/allowlist.go)
• CORS, body-size limits, request validation
• The reverse-proxy configuration (Caddyfile)
• Push notification keys / Discord webhook validation (pkg/scraper/notify.go)
• SQL injection or unsafe parameterisation anywhere
• SSRF / open-redirect / XSS bugs

• The Quinfall game server itself — that's the publisher's system.
• Anything about whether running this software violates the Quinfall ToS; that is the operator's responsibility per the legal note in README.md.
• Vulnerabilities in dependencies that are best reported upstream (please report those to the dependency directly, then optionally open a tracking issue here once it's public).
• Issues that require an attacker to already have privileged shell access to a production server.

Operators self-hosting this should also:

• Set ADMIN_IPS to only their own IP. The default is empty, which disables admin endpoints entirely (safe).
• Set COOKIE_SECURE=true and COOKIE_DOMAIN correctly for production HTTPS.
• Set CORS_ORIGIN to an explicit list, not *.
• Generate fresh values for JWT_SECRET and TOKEN_ENCRYPTION_KEY (openssl rand -hex 32) — never reuse the examples in .env.example.
• Rotate the Caddy basic-auth hash (ADMIN_BASIC_AUTH_HASH) on first deploy. Generate with docker run --rm caddy:2-alpine caddy hash-password.
• Keep MAINTENANCE_MODE ready for incidents.