Please do not file a public GitHub issue for security vulnerabilities.

• Email: security@aiscern.com
• PGP: (key available on request)
• Encrypted reports: Preferred for critical vulnerabilities

In-scope:

• Authentication and authorization bypasses
• SQL injection / RLS policy bypasses (Supabase)
• Remote code execution
• File upload vulnerabilities (MIME bypass, polyglot files)
• CSRF vulnerabilities
• Exposed secrets or credentials in the repository
• Data leakage between users (cross-account data access)
• Rate limiting bypasses that enable abuse

Out-of-scope:

• Denial of service via resource exhaustion without documented proof of impact
• Social engineering
• Physical attacks
• Vulnerabilities in third-party services (Clerk, Supabase, Cloudflare) — report directly to them

We treat vulnerability research conducted in good faith as follows:

• We will not pursue legal action for research within scope
• We will not restrict your access to the platform for reporting
• We will acknowledge your contribution in our Hall of Fame (with your permission)

1. Email security@aiscern.com with: severity, affected component, reproduction steps, potential impact
2. We acknowledge receipt within the SLA above
3. We investigate and provide a fix timeline
4. We notify you when the fix is deployed
5. Coordinated disclosure after fix (90-day embargo unless agreed otherwise)

Responsible reporters are recognized at aiscern.com/security/hall-of-fame.

• All traffic served over HTTPS/TLS 1.3 with HSTS
• Content-Security-Policy headers on all routes
• Row-level security (RLS) on all Supabase tables
• File uploads: MIME allowlist + magic byte validation, UUID-renamed, stored in private R2
• Rate limiting: Upstash Redis distributed (not in-memory)
• Secrets: never committed, all via environment variables
• Dependencies: audited weekly via npm audit in CI