Please do not open a public issue for security vulnerabilities.
Report privately through either channel:
- GitHub private advisory (preferred) — go to the Security tab and open a draft advisory.
- Email —
syedmosayebalam@gmail.comwith the subject linerecto security.
Please include:
- a description of the issue and its impact,
- steps to reproduce (proof-of-concept if possible),
- affected version / commit, and
- any suggested remediation.
- Acknowledgement within 72 hours.
- An assessment and a remediation timeline once the report is triaged.
- Credit in the release notes when the fix ships, unless you prefer to remain anonymous.
Please give us a reasonable window to release a fix before any public disclosure.
recto handles CMS credentials and OAuth tokens. Reports touching credential storage/encryption (the envelope KEK flow), the magic-link auth path, webhook signature verification, or CMS write operations are especially valued.
This repository ships no live credentials. All secrets are supplied at
runtime via .dev.vars (local) or wrangler secret put (production). If you
ever find a real key committed to this repo, treat it as compromised and report
it immediately so it can be rotated.