If you believe you've found a security vulnerability in Kind Reach, please do not open a public GitHub issue.

Instead, use GitHub's private vulnerability reporting:

1. Go to the Security tab on the Kind Reach repository.
2. Click Report a vulnerability.
3. Fill in the form with as much detail as you can — steps to reproduce, impact, and any suggested fix.

I'll respond within a reasonable time, typically within 7 days. Once a fix is ready, it ships as a normal release; if appropriate, I'll publish a GitHub Security Advisory crediting you.

Kind Reach is a single-user, locally-hosted application that binds to 127.0.0.1. The threat model assumes:

• The user trusts their own machine and the contents of their data/ folder (which holds the SQLite DB, attachments, and Gmail OAuth token).
• The user does not deliberately expose the app to a public network.

In-scope concerns:

• Code execution paths reachable from user input (CSV/Excel import, template editor, OAuth callback).
• Information disclosure in backup zips, error pages, or logs.
• Inadequate sanitization of email HTML that could expose recipients to active content from a compromised template.
• Path traversal in the restore flow (the zip extractor must reject .. segments — see app/services/backup_service.py).
• Anything that could cause the app to send mail the user did not intend.

Out of scope:

• Browser-level XSS in the local UI (the app is single-user and same-origin to itself).
• Exposure caused by the user binding the app to 0.0.0.0 against the README's instructions.
• Anything that requires already having write access to the user's data/ folder — at that point, you already have the OAuth token.
• Issues in third-party dependencies; please report those upstream.

Only the current latest release is supported. Older versions do not receive security backports.