Please report security vulnerabilities privately — do not open a public issue, pull request, or discussion.
Email ashwin[at]sabha.co with:
- A description of the vulnerability and its impact
- Steps to reproduce (proof-of-concept if you have one)
- Any relevant logs, versions, or configuration
You can expect an acknowledgement within a few days. If you haven't heard back, please follow up — it likely means the first email didn't reach us. We're happy to credit you once the issue is resolved (let us know if you'd prefer to stay anonymous).
Please give us a reasonable window to ship a fix before any public disclosure.
Once we receive your report, we'll:
- Confirm the issue and determine which versions are affected.
- Audit the codebase for similar or related problems.
- Prepare a fix and ship it.
- Keep you updated as we work through it.
Sabha ships from main. Security fixes land there; please run the latest version
before reporting.