Do not open a public GitHub issue for security vulnerabilities.

Email: security@yourorg.com

Please include:

• A description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Any suggested fix (optional)

Expected response time: Acknowledgment within 48 hours. Resolution timeline communicated within 7 days. Critical issues targeted for patch within 14 days.

In scope:

• Lambda handler business logic (authentication flow, authorisation checks, input validation)
• CDK construct IAM policies (overly permissive roles or resource scopes)
• Dependency vulnerabilities in lambdas/package.json or root package.json

Out of scope:

• Vulnerabilities in AWS-managed services (report to AWS directly)
• Issues in your own deployment configuration
• Theoretical attacks with no practical exploit path

Only the latest published npm version receives security fixes. Pinning to old versions is not supported.