Please do not open a public issue for security-sensitive reports (including weaknesses in abuse / attacker path rules).

Preferred options:

1. GitHub Security Advisories — use Security → Advisories → Report a vulnerability on this repository (if enabled).
2. If that is unavailable, email hi@r-sun.ai (Raising Sun s.r.o., Bratislava, Slovakia — r-sun.ai) with enough detail to reproduce (no need to include live tokens or production URLs).

Include: affected component (ingest, classifier, dashboard, etc.), steps to reproduce, and impact assessment if known.

We aim to acknowledge receipt within 5 business days and to send a brief assessment or next steps within a reasonable timeframe after that. Critical issues may be prioritized; timelines depend on severity and reproducibility. This is a best-effort policy for the open-source distribution and does not constitute a paid SLA.

• The dashboard listens on loopback only (127.0.0.1); exposing it beyond localhost changes the threat model.

Heuristic lists (paths, User-Agents) are defensive analytics only. False positives and false negatives are expected; tune allowlists for your deployment. See docs/classification.md.