Skip to content

Security: brett-buskirk/day-one

Security

SECURITY.md

Security Policy

Day One is a static, client-only app — no backend, no accounts, no server-side data. It stores only the current run locally in the browser (IndexedDB). There's no user data on a server to breach.

Reporting a vulnerability

If you find a security issue — a dependency advisory, a way to compromise the build pipeline, or anything that could harm a user's device — please report it privately:

  • Use GitHub's Security → "Report a vulnerability" (private advisory), or
  • if that isn't available, open a minimal issue noting it's security-related and asking to take it private.

Please don't disclose details in a public issue until it's been addressed. Thanks for helping keep people safe.

There aren't any published security advisories