Do not file a public GitHub issue for security vulnerabilities.

Report vulnerabilities privately via GitHub's built-in security advisory system:

1. Go to: https://github.com/Engineersmind/emc-auth-server/security/advisories/new
2. Fill in: affected version, description, reproduction steps, and impact assessment
3. You will receive an acknowledgement within 48 hours
4. We aim to release a patch within 7 days for critical issues, 14 days for high severity

If you cannot use GitHub advisories, email the maintainer listed in CODEOWNERS with [SECURITY] in the subject line.

• Authentication bypass (login, token refresh, TOTP)
• Authorization bypass (tenant isolation, permission escalation)
• SQL injection or other injection attacks
• JWT forgery or secret disclosure
• SAML assertion forgery or replay
• API key exposure or brute-force weaknesses
• CORS misconfiguration allowing cross-origin credential theft
• Audit log tampering or bypass
• Information disclosure in error responses

• Vulnerabilities requiring physical access to the server
• Denial of service attacks (rate limiting is a known tradeoff, not a bug)
• Issues in dependencies — report those upstream; we will update promptly
• Social engineering or phishing

We follow responsible disclosure. Once a fix is released:

• We will publish a security advisory on GitHub
• The advisory will credit the reporter (unless anonymity is requested)
• We will update this document and the CHANGELOG