Security

We apply role-based access checks, server-side validation, rate limits, secure cookies, and production CSP hardening to protect event and participant data.

If you identify a vulnerability, please report it privately and include reproduction steps, affected route, and potential impact.

Do not run denial-of-service tests, social engineering, or destructive testing on production systems.

See repository-level reporting details in SECURITY.md.