We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. DO NOT open a public GitHub issue for security vulnerabilities
2. Email the maintainers directly or use GitHub's private vulnerability reporting feature
3. Include as much detail as possible:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: We will acknowledge receipt within 48 hours
• Assessment: We will assess the vulnerability and determine its severity
• Fix Timeline: Critical issues will be addressed within 7 days; others within 30 days
• Disclosure: We will coordinate disclosure timing with you

Sushi Focus implements several security measures:

• Local-only communication: Daemon binds to 127.0.0.1 only
• CORS restrictions: Configurable origin whitelist
• Bearer token authentication: Optional API authentication
• Input validation: All API inputs are validated
• No remote code execution: Commands are whitelisted

1. Keep Sushi Focus updated to the latest version
2. Set SUSHI_FOCUS_SECRET environment variable for API authentication
3. Review distraction domain lists before adding custom entries
4. Don't expose the daemon to external networks

Thank you for helping keep Sushi Focus secure!