+# Security Policy

+

+showmycode exists to share private code *without* exposing credentials, so we take security reports seriously.

+Thank you for helping keep the project and its users safe.

+

+## Supported Versions

+

+This project follows a rolling-release model — only the latest `main` (and the current deployment built from it) receives security fixes.

+Please make sure a report reproduces against the latest `main` before submitting.

+

+## Reporting a Vulnerability

+

+**Please do not open a public issue, pull request, or discussion for security vulnerabilities.**

+A public report exposes the issue before a fix is available.

+

+Instead, report privately through GitHub:

+

+1. Go to the [**Security** tab](https://github.com/Jiseoup/showmycode/security)

+ of the repository.

+2. Click **Report a vulnerability** to open a private advisory.

+3. Include as much detail as you can:

+ - A description of the vulnerability and its impact.

+ - Steps to reproduce (or a proof of concept).

+ - Affected files, routes, or configuration.

+ - Any suggested remediation, if you have one.

+

+We will acknowledge your report as soon as possible.

+Once the issue is confirmed, we will work on a fix and coordinate disclosure with you.

+We will credit reporters in the advisory unless you prefer to remain anonymous.

+

+## Scope

+

+Issues that are especially relevant to showmycode's threat model include:

+

+- Anything that leaks the `GITHUB_PAT` to the client or to viewers.

+- Bypassing the share-token check in `proxy.ts` (token mode).

+- Accessing a repository that is not in the `GITHUB_REPOS` allowlist.

+- Weaknesses in the token comparison or cookie auth (`lib/auth.ts`).

+

+Out of scope:

+

+- Vulnerabilities that require a misconfigured deployment (e.g. a committed `.env.local`, an over-scoped PAT, or a leaked `SHARE_TOKEN`).

+- Reports against dependencies that are already tracked by Dependabot, unless showmycode uses the affected code path in a way that increases the impact.