Email info@run402.com with:

• Description of the vulnerability
• Steps to reproduce
• Impact assessment (if known)

We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.

Please do not open a public GitHub issue for security vulnerabilities.

This policy covers:

• The Krello application code (frontend SPA, backend function, schema)
• Row-level security policies in schema.sql
• The deployment script (deploy.ts)

The Run402 platform (api.run402.com) is operated by Kychee LLC. Report platform-side vulnerabilities to the same email address.

• Row-level security: Every table enforces RLS policies — users can only access boards they are members of, at their assigned role level.
• Role-based access: Four roles (owner, admin, member, viewer) with escalating permissions. Role checks happen at the database level, not in application code.
• Auth: JWT-based authentication via Run402. Tokens are validated by PostgREST before any query executes.
• No secrets in frontend: The SPA uses only the anonymous (public) API key. Service keys and admin credentials are never shipped to the browser.
• SQL safety: The Run402 gateway blocks dangerous SQL operations (CREATE EXTENSION, COPY PROGRAM, ALTER SYSTEM, etc.) at the platform level.
• Schema isolation: Each deployment runs in its own Postgres schema with cross-schema access blocked.