Skip to content

Security: fells-code/seamless-auth-starter-express

Security

SECURITY.md

Security Policy

Thank you for helping keep Fells Code projects and their users safe. This policy applies to every repository in the fells-code organization unless a repository provides its own SECURITY.md.

Reporting a Vulnerability

Please do NOT open a public GitHub issue for security problems.

Report privately through one of the following:

  • GitHub private vulnerability reporting (preferred): the "Report a vulnerability" button under the repository's Security tab.
  • Email: security@fells.codes with the subject Security Issue: <repository>.

When possible, include:

  • A clear description of the issue and its impact.
  • Steps to reproduce or a proof of concept.
  • Affected versions, commits, or deployment mode (self-hosted or hosted).
  • Any suggested mitigation.

We aim to acknowledge reports within 3 business days and to address critical issues within 30 days. We will coordinate disclosure with you and will not discuss the issue publicly until a fix or mitigation is available.

Scope

In scope: the source code, APIs, web apps, CLIs, browser extensions, and shared packages in Fells Code repositories, especially authentication, token, session, authorization, and cryptographic paths.

Out of scope: findings that require a compromised host or account, social engineering, denial of service through sheer volume, and issues in third-party dependencies that are already public and being tracked upstream.

Safe Harbor

We will not pursue or support legal action against researchers who report vulnerabilities in good faith, avoid privacy violations and service disruption, and give us reasonable time to respond before public disclosure.

There aren't any published security advisories