Do not open public issues for suspected vulnerabilities.

Report security concerns privately to admin@jooservices.com with:

• summary
• affected environment or version
• impact
• reproduction details
• logs or traces with secrets removed

No guaranteed SLA is promised.

Do not include secrets, API keys, cookies, session values, private URLs, .env contents, SSH keys, or production IPs in public issues, prompts, screenshots, or logs.

• SSRF from unsafe URL crawling.
• Crawling arbitrary internal/private URLs.
• Untrusted HTML from external sites.
• Script injection from crawled titles/descriptions/metadata.
• Secret leakage in crawl logs or raw HTTP logs.
• Excessive crawling, rate-limit violations, or robots/legal issues.
• Destructive ES/DB/Redis/storage commands.

Run Composer/NPM audits where practical. Keep deploy secrets in secret stores, not repository files. Review crawler audit logging before production because response bodies can contain sensitive or unwanted content.