This repository is a public demo project. Security reports are still welcome, especially for:
- authentication and token handling
- Telegram WebApp validation
- webhook verification
- secret exposure in docs, config, or Docker flows
Please do not open a public issue for a suspected vulnerability.
Instead, contact the maintainer directly through GitHub profile contact options and include:
- a concise description of the issue
- affected files or endpoints
- reproduction steps
- impact assessment
- a suggested fix, if available
- Demo credentials and seeded data in this repository are non-production by design.
- Production deployments should still add environment-specific hardening, secret rotation, audit logging, rate limiting, and infrastructure review.