We take security seriously. If you believe you have found a security vulnerability, please report it responsibly:

• Do not open a public GitHub issue for security-sensitive bugs.
• Open a private GitHub Security Advisory with a description and steps to reproduce.
• We will acknowledge receipt and aim to respond within a reasonable time. We may ask for more detail and will coordinate disclosure if the report is accepted.

FairAd implements multiple layers of security; see the Security section of the README and the list below:

• URL validation (Discovery) — SSRF protection: private IPs, loopback, link-local, cloud metadata hosts (e.g. 169.254.169.254), and non-HTTPS schemes are blocked. Use FAIRAD_DISCOVERY_ALLOW_HTTP=true only in local development.
• Input validation (API) — Category and amount are length- and pattern-limited; settlement IDs must match set_[a-f0-9]{16} to prevent path traversal or injection.
• Signatures — Payment Commitments and Proof of Impression use Ed25519. Never expose FAIRAD_SIGNING_KEY; use environment variables or a secrets manager.
• Proof of Human — Valid PoH is required for binding commitments. In production, set FAIRAD_POH_STRICT=true and use issuers with JWKS verification where applicable.
• Transparency — The protocol requires disclosure text in the UI and in the PoI hash; this reduces hidden advertising and receipt forgery.
• CORS — Set FAIRAD_CORS_ORIGINS to your allowed origins in production instead of *.

For production recommendations and threat model summary, see the full Security Policy in the README.

Thank you for helping keep FairAd and its users safe.