Only the latest deployed version of Arkora receives security updates.

Do not open a public GitHub issue for security vulnerabilities.

If you discover a security vulnerability in Arkora, please report it responsibly through one of these channels:

• GitHub Private Vulnerability Reporting: Security Advisories - preferred method
• Email: security@arkora.app - for sensitive disclosures

Please provide as much of the following as possible:

• Description of the vulnerability and its potential impact
• Steps to reproduce (proof-of-concept if applicable)
• Affected components or endpoints
• Any suggested mitigations you have identified

We will keep you informed throughout the process and credit you in the fix unless you prefer to remain anonymous.

• Authentication and session management (SIWE, World ID verification)
• API route authorization and access control
• Input validation and sanitization
• Data exposure or privacy leaks
• Cryptographic weaknesses
• Rate limiting bypass
• Denial-of-service vulnerabilities in application logic

• Vulnerabilities in third-party services (Neon, Pusher, Vercel, World ID)
• Social engineering attacks against team members
• Physical security
• Denial-of-service via infrastructure (volumetric attacks)
• Issues requiring physical access to a device
• Findings from automated scanners without manual validation

Arkora considers good-faith security research to be authorized and will not pursue legal action against researchers who:

• Report vulnerabilities through the channels described above
• Do not access, modify, or delete user data beyond what is minimally necessary to demonstrate the vulnerability
• Do not perform denial-of-service attacks, social engineering, or spam
• Do not publicly disclose the vulnerability before a fix is deployed

We thank the following researchers for responsibly disclosing vulnerabilities:

No disclosures to date.