Please report security vulnerabilities privately — do not open a public issue.
- Use GitHub's "Report a vulnerability" feature (Security → Advisories) on the repository, or
- email the maintainer at the address listed on the project profile.
Include:
- a description of the issue and its impact,
- steps to reproduce or a proof of concept,
- affected version / commit.
We aim to acknowledge reports within a few days and will keep you updated as we work on a fix. Please give us a reasonable window to remediate before any public disclosure.
In scope: the API, web app, and the encryption / SSRF / quota logic in this repository.
Out of scope: issues in third-party dependencies (report upstream), and the documented
residual risks in docs/THREAT_MODEL.md (e.g. that an operator
can decrypt SERVER-mode files — use a Zero-Knowledge vault for operator-private data).
OpenCoperLock is pre-1.0; security fixes target the main branch. Pin to a commit and
update regularly until tagged releases are published.