Please do not open a public GitHub issue for security vulnerabilities. A public report tells everyone — including potential attackers — about the issue before it's fixed.

1. Go to the repo's Security tab → Report a vulnerability
2. Fill in the form — only the maintainers will see it
3. We'll work with you privately and credit you in the fix

Direct link: Report a vulnerability

If you can't use GitHub's reporter, email hello@altersend.com with:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fix

• Acknowledgement within 48 hours
• Targeted fix within 14 days for critical issues
• A coordinated disclosure timeline if the fix requires more time
• Credit in the release notes (unless you prefer to stay anonymous)

In scope:

• The desktop app (Electron) in apps/desktop
• The mobile app (React Native / Expo) in apps/mobile
• The shared protocol/state packages in packages/

Out of scope:

• Vulnerabilities in third-party dependencies — please report those upstream
• Issues that require physical access to an unlocked device
• Social engineering of users