Please report security vulnerabilities through GitHub's private vulnerability reporting feature:

Settings > Security > Advisories > Report a vulnerability

Do not open a public issue for security vulnerabilities.

We will acknowledge your report within 7 days and aim to provide a fix or mitigation plan within 30 days, depending on severity.

All face tracking in Pokebox runs entirely client-side using MediaPipe. No video or face data is transmitted to any server.