We actively support the latest release. Pre-v1.0 is best-effort.

Please do not open a public issue for security vulnerabilities.

If you find a genuine security issue (not a curated honeypot, see below), security contact: open a private security advisory at https://github.com/0800tim/unrot/security/advisories with:

• A description of the issue
• Steps to reproduce
• Your assessment of severity and exploitability
• Whether you want public credit when we disclose, and how you'd like to be credited

We respond to security reports within 72 hours. Serious issues get same-day acknowledgement. We'll coordinate disclosure timing with you, typically 30 days from report to public advisory, sooner if the issue is being actively exploited.

This project will (in v1.4+) contain deliberate, curated "honeypots" - discoverable puzzles that teach kids security concepts (view-source hints, encoded strings, hidden routes, and so on). These are not real vulnerabilities.

If you're a kid or security-curious person and you found something cool, try the following first:

1. Check docs/HONEYPOTS.md (once published) - it lists known intentional puzzles
2. Check if there's an achievement you unlocked in the app, intentional honeypots reward you

If you've found something that:

• Lets you access another kid's data or balance
• Bypasses parent-authored constraints without the intended puzzle flow
• Runs arbitrary code on another user's machine
• Leaks secrets, keys, or credentials
• Affects the host Supabase project beyond the reporter's own data
• Breaks the isolation between families (once v1.1's multi-tenancy is live)

...that's a real vulnerability. Report it via a private security advisory, not a public issue. You'll likely get significant credit and our genuine gratitude.

• The quiz PWA (platform/quiz/)
• The Windows blocker (platform/blocker/)
• The Supabase RPCs and schema (platform/supabase/)
• Every fake-cheat installer under installers/ and their microsites
• Published Docker images or deployment templates
• The marketing site at unrot.you (marketing/site/)

• Supabase itself - report to Supabase
• Vercel itself - report to Vercel
• .NET Runtime - report to Microsoft
• Issues in third-party forks
• Social engineering of project maintainers or contributors
• Physical security of maintainers' machines
• Denial-of-service via rate limits (we expect people to handle their own Supabase free-tier limits)

We will not pursue legal action against researchers who:

• Make a good-faith effort to comply with this policy
• Don't exfiltrate, modify, or destroy data belonging to others
• Don't degrade service for other users
• Report promptly and don't publicly disclose before coordinated timing

This is our commitment to the security research community. If you're unsure whether something is okay, ask first via a private advisory.

This project is built by volunteers in their spare time. We don't have a 24/7 SOC, a dedicated security team, or a bug bounty budget. What we promise is:

• Fast acknowledgement (72 hours)
• Honest communication about timeline and fix priority
• Credit in the advisory and CREDITS.md
• Gratitude

That's what we can offer. For most contributors, that's enough.