Responsible disclosure
How to report security issues without exposing live secrets.
Report safely
Use test data. Do not include live secrets, full private links, URL fragments, account tokens, API keys, recovery codes, or customer payloads in reports.
- Use test accounts
- Redact identifiers
- Describe impact and reproduction steps
Contact
Use the public contact path for security reports until a dedicated reporting portal is configured.
- Security contact: security@shhhs.net
- Status: https://status.shhhs.net
- Do not post exploitable details publicly before coordination