Thank you for helping make this project secure. This document explains how to report security issues and what to expect.

Responsible disclosure

• Please report suspected vulnerabilities privately so they can be addressed before public disclosure.
• Preferred contact: security@lexiapp.space (or use the project repository's private security contact if available).
• If you cannot use email, open a private support ticket with the same level of detail.

What to include

• A short description of the issue and the potential impact.
• Step-by-step reproduction steps and a minimal test case if possible.
• Affected version(s) and environment details (OS, Node/Bun version, browser if applicable).
• Any relevant logs, stack traces, or screenshots.

How we handle reports

• We'll acknowledge receipt within 72 hours.
• We'll assess severity and provide an estimated remediation timeline.
• We'll coordinate any public disclosure with the reporter.

Public disclosures

• Do not publicly disclose vulnerabilities until the project maintainers have had reasonable time to fix the issue and coordinate disclosure.

Responsible testing

• Only test systems you own or have explicit permission to test.
• Avoid intrusive testing that could cause data loss, service disruption, or privacy breaches.

Third-party dependencies

• If a vulnerability is in a dependency, we will attempt to coordinate fixes with upstream maintainers and update the dependency as soon as practical.

Thank you for responsibly reporting security issues. Your help keeps users and the project safe.