Security Policy

Last updated: April 28, 2026. Machine-readable companion: /.well-known/security.txt (RFC 9116).

Reporting a vulnerability

Email security@colorui.io with a clear description, reproduction steps, affected URL or surface, and the impact you expect. PGP is optional - if you prefer encrypted mail, request our public key in your first message and we will reply with it. Please do not open a public GitHub issue for security findings.

Our commitments

Acknowledgement within 2 business days.
Triage and severity rating within 5 business days.
Fix or mitigation for High/Critical issues within 14 days; Medium within 30 days.
Public credit in the Hall of Fame below (with your consent).
Safe harbor: good-faith research that follows this policy will not result in legal action.

In scope

Every *.colorui.io domain.
Every package we publish: colorui, @colorui/mcp, and any future @colorui/*.
Every extension we ship: Chrome, Firefox (when published), Figma, VSCode, Raycast.
The colorui/contrast-action GitHub Action.
The MCP server (mcp/) and CLI (cli/) source.

Out of scope

Third-party services we link to or proxy (we cannot fix what we do not control).
Reports requiring physical access, social engineering of staff, or rate-limit / brute-force volume tests.
Findings on *.vercel.app preview deployments - report against the production URL only.
Missing defense-in-depth headers on endpoints that already enforce the underlying control.
Self-XSS or any issue requiring the victim to paste attacker-controlled code into the DevTools console.

How we ship security

Strict CSP, HSTS preload, COOP, frame-ancestors none.
Server-side SVG sanitiser pinned by a regression test (tests/sanitize-svg.spec.ts).
Image-fetch endpoint guards against SSRF (no private ranges, redirect cap, MIME allow-list).
Per-IP rate limits on every public endpoint, with X-RateLimit-* headers exposed.
Weekly CodeQL scans plus per-PR scans on every change to source.
Dependabot grouped updates plus contract test suite that re-runs on every PR.

Hall of Fame

Researchers who responsibly disclosed a confirmed issue, in chronological order. Want to be on this list? See Reporting a vulnerability above.

Be the first - we are actively listening.

Past advisories

Resolved security advisories are published as GitHub Security Advisories on the source repository, with CVE assignment requested where appropriate.

Reporting a vulnerability

Our commitments

Acknowledgement within 2 business days.

Triage and severity rating within 5 business days.

Fix or mitigation for High/Critical issues within 14 days; Medium within 30 days.

Public credit in the Hall of Fame below (with your consent).

Safe harbor: good-faith research that follows this policy will not result in legal action.

Out of scope

Third-party services we link to or proxy (we cannot fix what we do not control).

Reports requiring physical access, social engineering of staff, or rate-limit / brute-force volume tests.

Findings on *.vercel.app preview deployments - report against the production URL only.

Missing defense-in-depth headers on endpoints that already enforce the underlying control.

Self-XSS or any issue requiring the victim to paste attacker-controlled code into the DevTools console.

How we ship security

Strict CSP, HSTS preload, COOP, frame-ancestors none.

Server-side SVG sanitiser pinned by a regression test (tests/sanitize-svg.spec.ts).

Image-fetch endpoint guards against SSRF (no private ranges, redirect cap, MIME allow-list).

Per-IP rate limits on every public endpoint, with X-RateLimit-* headers exposed.

Weekly CodeQL scans plus per-PR scans on every change to source.

Dependabot grouped updates plus contract test suite that re-runs on every PR.