Please do not open a public GitHub issue for security vulnerabilities.

Use GitHub's private vulnerability reporting to report security issues confidentially.

• A clear description of the vulnerability
• Steps to reproduce the issue
• Potential impact (what data or functionality is affected)
• Any suggested fix or mitigation, if you have one

• Acknowledgement within 48 hours
• An assessment and timeline within 7 days
• A fix or workaround communicated back to you before public disclosure

We follow coordinated disclosure: please give us reasonable time to address the issue before making it public.

This project handles educator-created rubrics and student essay evaluations. Areas of particular concern:

• Authentication and session management (Supabase Auth / Google OAuth)
• PIN-based access control for student sessions
• Row-level security on rubric and submission data
• Input validation on essay submissions

• Vulnerabilities in third-party dependencies (report those upstream)
• Issues that require physical access to a device
• Social engineering attacks