Do not open a public issue for security vulnerabilities.

Please report security issues via GitHub Security Advisories.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• API key handling and authentication bypass
• Rate limiter bypass
• Data exposure (leaking user data across projects/tenants)
• Injection via event properties or names
• GDPR deletion completeness

• 48 hours: Acknowledge receipt
• 7 days: Initial assessment and severity classification
• 30 days: Fix or mitigation for critical/high severity

• Denial of service via high event volume (use rate limiting configuration)
• Issues in dependencies (report upstream)
• Issues requiring physical access to infrastructure