Security

Do not post security vulnerabilities in public issues, comments, or public chats. Send the report privately to the current security contact instead.

Current security contacts: adminosureviews@gmail.com and Discord `.morgun.`

Include the affected URL or feature, clear reproduction steps, any required account permissions, the impact of the issue, and screenshots or proof-of-concept details when safe to share privately.

Avoid actions that would damage data, interrupt service, access accounts that are not yours, or expose private information beyond what is necessary to prove the issue.

The project is designed around server-side ownership checks, allowlisted mutations, protected osu! identity fields, abuse-resistant queue flows, moderation boundaries, audit logging, and strict distrust of client-supplied identity claims.

Additional protections may include CSP, CSRF-style request checks, rate limiting, RLS-backed data rules, and abuse logging depending on the deployed environment.

This is an independent project, so response and remediation times are best-effort. Critical issues should still be reported as soon as possible with enough detail to reproduce and fix them safely.