Security Disclosure

Email security@unitynodes.com or open a private advisory at github.com/UnityNodes/ccpedia/security/advisories/new. GitHub advisories are encrypted end-to-end and give a private audit trail; pick whichever you prefer. For non-security questions, use the contact form.

Please include reproduction steps, affected URL or endpoint, browser/agent, and any logs you have. If the issue is sensitive, request a PGP key in your first message and we will respond out-of-band.

• 72h: initial acknowledgement.
• 7d: severity assessment and patch plan or risk acceptance.
• 30d: public disclosure once a fix is deployed, unless the reporter prefers earlier.

In scope:

• ccpedia.xyz and its subdomains.
• /api/v1/* REST endpoints, /mcp MCP server, /api/feed/* feeds.
• /api/chat (Cippy) — prompt-injection that exfiltrates DB rows or hidden context.
• Admin surface (/admin/*, /api/admin/*) and the metrics endpoint.

Out of scope:

• Rate-limit volume tests, denial-of-service, automated scanners flooding /api/chat.
• Issues only reproducible with a custom client that disables CSP or modifies bundled JS.
• Reports based on missing security headers without a concrete exploit.
• Third-party services we depend on (DefiLlama, Cohere, Groq, Gemini) — report those upstream.

Good-faith research on this scope, conducted without privacy or availability damage, will not lead to legal action. Please avoid touching production data of other users (chat history, feedback, IPs).

No reports received yet. Future reporters who opt-in will be credited here with name + GitHub/Twitter handle.