Thank you for helping keep FormForge and its users safe. We take security issues seriously and appreciate responsible disclosure.

We currently support the latest release and the main branch. Security fixes may be applied to older versions when possible.

• Please do not open public GitHub issues for security reports.
• Instead, contact us privately via email: Buimanhhung3105@gmail.com

When reporting a vulnerability, please include:

• Affected version(s) and environment
• Steps to reproduce or proof-of-concept
• Potential impact and severity
• Suggested fixes or mitigations (if any)

We consider security research conducted under this policy to be authorized. If you follow these guidelines:

• We will not take legal action against you
• We will not involve law enforcement

Please make sure to:

• Avoid accessing or modifying user data unnecessarily
• Avoid actions that may harm system availability
• Only test vulnerabilities within safe boundaries

The following are generally not considered valid security reports:

• Automated scan results without clear impact
• Missing headers without real exploit scenarios
• Clickjacking on non-sensitive pages
• Vulnerabilities in dependencies without proven impact

We support responsible disclosure. Please give us reasonable time to investigate and fix the issue before making it public.