If you discover a security vulnerability in Mycel, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please email: franz.benthin.dev@gmail.com

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)

• Acknowledgment: Within 48 hours
• Assessment: Within 1 week
• Fix: Depends on severity, but we aim for:
  • Critical: 7 days
  • High: 14 days
  • Medium: 30 days
  • Low: 90 days

• Never expose your .env files or Firebase credentials
• Firebase config is public by design, but keep API keys in environment variables for flexibility
• API tokens are managed by Firebase SDK in memory — never store them in localStorage
• Keep dependencies up to date