Please do not open a public GitHub issue for security problems.

Email: lfzds4399@gmail.com with subject prefix [security] methods-harness:.

Include: vulnerable version, repro steps, impact assessment, and your contact preference.

• Acknowledgement: within 72 hours
• Triage + severity assessment: within 7 days
• Fix or mitigation plan: within 30 days for high-severity

The latest minor version receives security fixes. Older minors are best-effort.

methods-harness is single-author EdTech tooling. It is not a server, has no auth, and does not phone home. The realistic risk surface is:

1. PDF generation via headless browser (Microsoft Edge / Chromium) — make_pdf.py launches Edge in headless mode to print HTML to PDF. If you feed it untrusted markdown that injects <script> or external URLs, that script runs in the browser context.
2. SymPy simplify / solve — SymPy handles malicious symbolic input without executing arbitrary code, but exotic inputs can hang. Keep validator timeouts.
3. Optional .env — only used for diagram caching keys and is never committed.

• Render PDFs only from lesson markdown you wrote or reviewed.
• Pin methods-harness and sympy versions in your downstream project.
• If you embed lesson HTML in a webpage, sanitize the output — it is meant for static PDF, not for serving over the web.