This security policy applies to vulnerabilities discovered in the main branch of the following components within the ACI.dev monorepo:

• /backend
• /frontend

Please report vulnerabilities related to other branches or components if you believe they are critical, but be aware that our primary focus for security patches is the main branch of these core components.

We take the security of ACI.dev very seriously. If you believe you've found a security vulnerability, please follow these steps:

1. Do not disclose the vulnerability publicly or to any third parties.
2. Minimize Harm: Make every effort to avoid accessing or downloading data that does not belong to you, disrupting services, or violating user privacy during your testing. If access to user data or confidential information is necessary to demonstrate the vulnerability, please minimize the amount accessed and report this immediately.
3. Email us directly at [email protected] with
   1. Title format "[Vulnerability] Summary of issue".
   2. Details of the vulnerability in the body.
4. Include the following information in your report:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any suggestions for mitigation
5. We will acknowledge receipt of your vulnerability report within 48 hours and provide an estimated timeline for a fix.
6. Once the vulnerability is fixed, we will notify you and publicly acknowledge your contribution (unless you prefer to remain anonymous).

We consider security research and vulnerability disclosure activities conducted following this policy to be authorized and beneficial. We will not pursue legal action against individuals who report vulnerabilities in good faith and adhere to this policy, including the restrictions on public disclosure. This safe harbor does not apply to any actions that intentionally cause harm, disrupt services, violate user privacy, access or modify data beyond what is necessary to demonstrate the vulnerability, or violate any applicable laws.