Security

How to report

Send security reports to [email protected]. Include the affected package or route, the version if you know it, reproduction steps, impact, logs or screenshots where useful, and whether the issue affects a live website.

Please avoid public disclosure until we have had a reasonable chance to investigate and coordinate a fix or advisory.

What to report

Useful reports include authentication bypass, account takeover, data exposure, unsafe package behaviour, malicious extensions, dependency compromise, broken authorisation, signed-route bypass, stored XSS, SQL injection, remote code execution, or marketplace install and upgrade issues that could harm a Capell site.

Testing boundaries

Do not access another person's account, download private data, alter live content, run destructive tests, degrade service, social engineer users, or test against third-party systems without permission.

If you need to prove impact, use the smallest safe reproduction. Stop as soon as you have enough evidence.

Response

We aim to acknowledge serious reports quickly, triage impact, contact affected authors where needed, prepare fixes, and publish advisories when site owners need to act.

High-risk marketplace packages may be hidden, delisted, blocked from install, or marked unsafe while a report is investigated.

Package authors

Authors must keep a working security contact, respond to vulnerability reports, and publish fixes promptly. Where an issue affects installed websites, Capell may send owner notifications or publish an advisory even if the author has not responded.