If you believe you have found a security vulnerability in Lyceum, please report it privately. Do not open a public GitHub issue, pull request, or discussion that describes the vulnerability.

Instead, contact the maintainer directly via the email on the GitHub profile @aakri0. Please include:

• A description of the issue and its potential impact.
• Steps to reproduce (proof-of-concept code, request payloads, or a minimal scenario).
• The affected version, branch, or commit hash.
• Any suggested mitigation, if you have one.

You should expect an acknowledgement within 5 business days. If you do not, please follow up — the report may not have reached its destination.

1. The maintainer confirms the report and assesses severity.
2. A fix is developed on a private branch and tested.
3. A patch is released and the advisory is published.
4. Credit is given to the reporter unless they prefer to remain anonymous.

Please give the project a reasonable window to ship a fix before public disclosure — typically 90 days, sooner for critical issues.

Lyceum is a single-branch project; only the latest commit on main is supported. Security fixes are not back-ported to forks or earlier tags.

In-scope issues include, but are not limited to:

• Authentication and session-management flaws (OTP bypass, password-reset token reuse, session fixation).
• Authorization flaws across the student / faculty / admin role boundaries.
• SQL injection, command injection, or template injection.
• Cross-site scripting (XSS), CSRF bypass, or open redirects.
• Insecure direct object references (IDOR) on student records, courses, or SWD requests.
• Secret exposure via logs, error pages, or git history.
• Rate-limit bypass on authentication endpoints.

Out of scope:

• Findings that require physical access to a user's device.
• Self-XSS that requires the victim to paste attacker-supplied content into the browser console.
• Missing security headers on /static/* assets where no sensitive data is rendered.
• Reports generated by automated scanners without a working proof-of-concept.

If you are deploying Lyceum, please review the Security Notes section in the README — it covers required production settings (SESSION_COOKIE_SECURE, FLASK_SECRET_KEY rotation, Redis-backed rate limiting, CSP/HSTS, bcrypt cost factor, and credential hygiene for forks).