If you discover a security vulnerability in Hushletter, please report it responsibly:

1. Do NOT open a public issue
2. Use GitHub's private vulnerability reporting

We will acknowledge receipt within 48 hours and provide a timeline for a fix.

The following areas are in scope for security reports:

• Web application (apps/web)
• Email processing worker (apps/email-worker)
• Convex backend functions (packages/backend)
• Authentication and authorization flows
• Newsletter content handling and sanitization
• Public sharing endpoints