Please do not report security vulnerabilities through public GitHub issues.

Use GitHub's private vulnerability reporting:

1. Go to Security → Advisories → New draft advisory
2. Fill in the vulnerability details
3. Submit for review

• Description of the vulnerability
• Steps to reproduce
• Affected versions
• Potential impact
• Any suggested fixes (optional)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 7 days
• Resolution target: Within 90 days (depending on severity)

This policy applies to:

• The porterminal Python package
• The frontend TypeScript code
• WebSocket communication
• Cloudflare tunnel integration

• Vulnerabilities in Cloudflare's infrastructure
• Issues in third-party dependencies (report to upstream)
• Social engineering attacks

Porterminal exposes terminal access over the network. Users should:

• Only run on trusted networks
• Use the URL-based authentication token
• Be aware that terminal output is transmitted over WebSocket