TechEmpower is a small nonprofit. We take security reports seriously and will act on them as quickly as we can.

Do not file public issues for security reports. Send vulnerability disclosures to security@techempower.org. If we don't acknowledge receipt within 5 business days, escalate to jp@techempower.org.

In your report, please include:

• A description of the vulnerability and what it affects.
• Steps to reproduce, or a proof-of-concept if you have one.
• The affected version(s) / commit hash if known.
• Your assessment of the impact and whether you've shared the report elsewhere.

• Acknowledgement within 5 business days.
• Initial triage + severity assessment within 10 business days.
• Fix or mitigation scoped to severity — we patch criticals as fast as we can, lower-severity issues in normal release cadence.
• Public disclosure coordinated with you. We'll credit you in the release notes unless you'd prefer to stay anonymous.

This policy covers software published by TechEmpower (anything under github.com/techempower-org).

Out of scope:

• Third-party dependencies. Report those upstream.
• Social engineering, physical attacks, or denial of service via volume.
• Theoretical issues without practical impact.

We will not pursue legal action against researchers who:

• Make a good-faith effort to avoid privacy violations, service degradation, and data destruction.
• Report findings via the channel above and give us reasonable time to address them.

Thanks for keeping the people who rely on our tools safer.