Report a security issue
Use this page for coordinated security disclosure. Test with your own accounts and synthetic data only.
Where to report
Email: security@shhhs.net.
Reporting URL: https://shhhs.net/security-report.
If email is not available, use /contact and select security in the message.
What to include
Include affected route or endpoint, reproducible steps, observed impact, browser or CLI version if relevant, and whether the issue affects public pages, app flows, API keys, request links, chat rooms, billing, or admin access.
Use test accounts, test payloads, and redacted screenshots.
What not to include
Do not send passwords, account tokens, recovery codes, OTPs, API keys, passphrases, full secret links, URL fragments, private file contents, or live customer data.
Do not access, modify, delete, exfiltrate, or disclose another person's data.
Safe harbor boundary
Good-faith testing must avoid privacy violations, service disruption, social engineering, spam, physical attacks, credential stuffing, destructive actions, and persistence. Shhhs may ask you to stop testing while a report is reviewed.
Response target
Target first response: 5 business days. Resolution timing depends on severity, reproducibility, and operational risk.