Do not open a public GitHub issue for security vulnerabilities.

Please report security issues privately by emailing:

contact@rootaccess.live

Include the following in your report:

• A description of the vulnerability and its potential impact
• Steps to reproduce or a proof-of-concept
• Any suggested fixes or mitigations (optional)

You can expect an acknowledgement within 48 hours and a resolution timeline within 7 days depending on severity.

The following are in scope for security reports:

• Authentication and authorization bypasses
• JWT token vulnerabilities
• SQL/NoSQL injection
• Cross-site scripting (XSS)
• Sensitive data exposure
• Rate limiting bypasses on flag submission or auth endpoints
• Admin privilege escalation via API

• Vulnerabilities in intentionally vulnerable CTF challenge content (those are features, not bugs)
• Issues requiring physical access to the server
• Social engineering attacks

We follow responsible disclosure. Once a fix is released, we will acknowledge the reporter (with permission) in the release notes.