If you discover a security vulnerability, please report it responsibly:

1. Do not open a public issue.
2. Create a private Security Advisory on GitHub, or
3. Contact the maintainers directly (see repository description).

We will acknowledge your report and work on a fix. Please allow reasonable time before any public disclosure.

For production deployments:

• Set settings_password in Settings → General. Wrong unlock attempts are throttled (429 after 5 failures / 60s per IP on verify-password — see docs/contributor/access-control.md).
• Use PROCESSOR_SECRET and FLASK_SECRET_KEY (generated by make setup or deploy script).
• Set MCP_TOKEN when MCP is enabled.
• Store secrets in environment variables, not in user_config.yaml.

See docs/contributor/security.md for a detailed risk analysis.

• Do not commit real production hostnames, public IPs, or secrets. Keep those in local untracked files (e.g. scripts/deploy.local.sh is gitignored — use scripts/deploy.local.sh.example).
• Prefer documentation examples from TEST-NET-3 / RFC 5737 (e.g. 203.0.113.10) or private LAN examples (192.168.x.x) where an IP is needed.
• If something sensitive was pushed by mistake, rotate credentials/hosts where applicable and consider history cleanup (see scripts/redact-git-history-leaks.sh).