This document outlines how to report vulnerabilities, so we can pretend we're a responsible project while secretly hoping nobody finds the things we missed in that 3 a.m. commit.

If you’ve found a security issue — first of all, thank you for not turning it into a Medium post for clout.

Please email us privately at:
[BullsEysorg@gmail.com]

Include:

• A clear explanation of the bug (bonus points for screenshots and dramatic flair),
• Steps to reproduce (so we can cry efficiently),
• What you think it affects (if everything, just say “yes”).

Do not open a public issue unless you enjoy chaos and/or watching the internet burn.

• Obscurity is not security — though we admit, some of this code is unreadable by design.
• We assume all input is hostile, all users are unpredictable, and all dependencies are a trap.
• If you think that sounds paranoid, congrats: you understand modern software.

1. You report it.
2. We read it, blink twice, and start mumbling things like “how did this even happen?”
3. We try to reproduce the issue without breaking more stuff.
4. If confirmed, we patch it. Quietly. Quickly. Maybe even professionally.
5. We give you credit (unless you request anonymity or your name is something like ';DROP TABLE users;--).

We do our best to keep dependencies updated and moderately non-horrifying.
That said, if you find a CVE in one of them, assume we’re already pretending to deal with it.

Security is a process. A never-ending, caffeine-fueled, existentially draining process.
If you help us stay a few steps ahead of the digital entropy, we deeply appreciate it.

Or at least we’ll send you good karma, which is better than cash but worse than stickers.

Thanks for looking out. You’re the firewall this repo never knew it needed.