Do not open a public issue for security vulnerabilities.

Email: adam@adamn.info

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if available)

You will receive a response within 48 hours. We take all reports seriously and will coordinate disclosure timing with you.

Issues that qualify:

• API key / credential leakage via error messages or logs
• Injection vulnerabilities (prompt injection, SQL, command)
• Authentication / authorization bypasses
• Exposure of shop or customer data
• Unsafe deserialization

Issues that don't qualify:

• Missing best practices that don't present a concrete vulnerability
• Theoretical attacks requiring unrealistic access levels
• Issues in 3rd party dependencies (report to upstream)

We follow a 90-day disclosure timeline:

1. Report received → acknowledgment within 48 hours
2. Investigation and fix within 30 days
3. Coordinated disclosure after 90 days (or sooner if agreed)