The Captains Cloud team takes the security of our platform and our partners' data seriously.

Do not open a public GitHub issue for security vulnerabilities.

Instead, report it privately through either channel:

1. Email — support@captains.cloud with the subject line SECURITY: <short summary>.
2. GitHub Private Vulnerability Reporting — use the "Report a vulnerability" button under the Security tab of the affected repository (where enabled).

Please include, where possible:

• The affected repository, service, or endpoint.
• A description of the vulnerability and its potential impact.
• Steps to reproduce (proof of concept).
• Any suggested remediation.

• We will acknowledge your report within 3 business days.
• We will provide an assessment and expected remediation timeline within 10 business days.
• We will keep you informed of progress and credit you (if you wish) once resolved.

Security-sensitive areas include, but are not limited to: authentication & authorization, tenant isolation, the partner API, the wallet/billing ledger, proof of delivery, webhook signing, and any handling of personal or financial data.

We will not pursue or support legal action against researchers who:

• Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
• Only interact with accounts they own or have explicit permission to access.
• Report promptly and give us a reasonable time to remediate before public disclosure.

Thank you for helping keep Captains Cloud and our partners safe.