If you discover a security vulnerability in Unicon, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please email [email protected] with:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

We will acknowledge your report within 48 hours and aim to release a fix within 7 days for critical issues.

This policy covers:

• The Unicon web application (unicon.sh)
• The @webrenew/unicon CLI package
• The @webrenew/unicon-mcp-server MCP server package
• Authentication and authorization flows
• Payment processing (Stripe integration)
• API endpoints

• Third-party services (Supabase, Stripe, Vercel)
• Social engineering attacks
• Denial of service attacks