We take security seriously. If you discover a security vulnerability, please report it responsibly.

Because this repository deals with generated 2FA test setups, please treat all OTP secrets, QR payloads, and authenticator labels as sensitive data.

1. Do not open a public issue. Instead, contact the maintainers privately via email: contact@tristanbudd.com or open a private GitHub security advisory.
2. Provide a clear description, steps to reproduce, and potential impact.
3. We will acknowledge receipt within 48 hours and work with you to resolve the issue.

Please include:

• Impacted route/feature
• Reproduction steps
• Expected vs actual behavior
• Whether the issue could expose OTP secrets, QR payloads, or auth session data

We will provide security fixes for the latest released version and any actively maintained previous release branches.

This project is new and currently considered pre-1.0.

We will coordinate disclosure timelines with the reporter. After fixes are released, we will publicly disclose the issue with credit to the reporter unless requested otherwise.