We take the security of Iffy and its users seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to [email protected]. You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

When submitting your vulnerability report, please provide the following details:

• Vulnerability category (for example, buffer overflow, SQL injection, cross-site scripting, etc.)
• Complete file paths for the source file(s) where the issue appears
• A reference to the affected source code (such as a tag, branch, commit, or direct URL)
• Any specific configuration settings necessary to replicate the issue
• A detailed sequence of steps required to reproduce the issue
• If available, a sample proof-of-concept or exploit code
• An explanation of the vulnerability's potential impact, including how an attacker might exploit it

We prefer all communications to be in English.

When we receive a security bug report, we will:

• Confirm the problem and determine the affected versions
• Audit code to find any potential similar problems
• Prepare fixes for all affected versions
• Release new security fix versions