Email security@githat.io with:

• Description of the vulnerability + affected component (githat.io / api.githat.io / SDKs / consumer apps)
• Reproduction steps or proof-of-concept
• Your name + handle if you want public credit

We acknowledge within 48 hours, scope within 5 business days, and patch within 90 days for non-critical (faster for critical).

In scope:

• githat.io marketing + dashboard
• api.githat.io (Lambda backend in GitHat-IO/MicroBackEnds)
• @githat/nextjs SDK
• create-githat-app CLI
• Any GitHat-platform consumer app you suspect a cross-tenant boundary issue on

Out of scope:

• Third-party services (AWS, Stripe, SES, GitHub)
• Social-engineering attacks against employees
• Denial-of-service / volumetric attacks (covered by AWS Shield Standard)
• Issues in consumer apps unrelated to GitHat auth

• JWT signing: RS256 via AWS KMS (no shared signing secret with consumers)
• Public verification material: JWKS at https://api.githat.io/.well-known/jwks.json
• Audience-claim enforcement per consumer app
• CAA records on every platform domain (lockdown: amazon.com + amazon trust)

English.