If you discover a security issue in In Weeks, please report it privately by opening a private security advisory on GitHub.

Please do not open a public issue for security vulnerabilities.

• XSS, CSRF, or injection vulnerabilities in the In Weeks web app
• Issues that could lead to data leakage from localStorage
• Supply chain risks in our dependencies
• Vulnerabilities in the share image generation flow

• Issues in third-party services (Google Fonts CDN, Vercel hosting)
• Self-XSS via browser console
• Lack of rate limiting on a static site
• "Issues" that require physical access to the user's device
• Anything that requires the victim to install a malicious browser extension

We aim to respond to security reports within 7 days and to release a fix within 30 days for confirmed issues.

Reporters of valid issues will be credited (with permission) in the release notes.