showmycode exists to share private code without exposing credentials, so we take security reports seriously.
Thank you for helping keep the project and its users safe.

This project follows a rolling-release model — only the latest main (and the current deployment built from it) receives security fixes.
Please make sure a report reproduces against the latest main before submitting.

Please do not open a public issue, pull request, or discussion for security vulnerabilities.
A public report exposes the issue before a fix is available.

Instead, report privately through GitHub:

1. Go to the Security tab of the repository.
2. Click Report a vulnerability to open a private advisory.
3. Include as much detail as you can:
   • A description of the vulnerability and its impact.
   • Steps to reproduce (or a proof of concept).
   • Affected files, routes, or configuration.
   • Any suggested remediation, if you have one.

We will acknowledge your report as soon as possible.
Once the issue is confirmed, we will work on a fix and coordinate disclosure with you.
We will credit reporters in the advisory unless you prefer to remain anonymous.

Issues that are especially relevant to showmycode's threat model include:

• Anything that leaks the GITHUB_PAT to the client or to viewers.
• Bypassing the share-token check in proxy.ts (token mode).
• Accessing a repository that is not in the GITHUB_REPOS allowlist.
• Weaknesses in the token comparison or cookie auth (lib/auth.ts).

Out of scope:

• Vulnerabilities that require a misconfigured deployment (e.g. a committed .env.local, an over-scoped PAT, or a leaked SHARE_TOKEN).
• Reports against dependencies that are already tracked by Dependabot, unless showmycode uses the affected code path in a way that increases the impact.