Unsaid is a privacy-first, open-source tool. There are no user accounts, no stored chat data, and no database of user content. The attack surface is intentionally minimal.

If you find a security issue, please do not open a public GitHub issue.

Email: business.rahulps@gmail.com
Subject line: [SECURITY] Unsaid — <short description>

Include:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fix (optional)

We'll acknowledge within 48 hours and aim to resolve within 7 days for critical issues.

• CORS misconfiguration on the Edge Function
• XSS vulnerabilities in the report renderer
• Issues that could expose or leak user chat content
• Rate limiting bypass on the analysis endpoint

• Denial of service against third-party AI providers
• Issues requiring physical device access
• Social engineering attacks

This project has no server-side storage of user data by design. If you believe user data is being persisted contrary to our stated policy, that is a critical issue — please report immediately.