Skip to main content
Back to app

Security Policy

Last updated: June 5, 2026

Overview

GitHub Folder Downloader is intended to fetch selected GitHub repository content and prepare ZIP downloads in the browser. This policy explains how to report suspected vulnerabilities privately and what information helps maintainers review a report safely.

Report vulnerabilities privately

If you believe you found a security issue, contact the maintainers privately at security@x00.ai. Do not submit vulnerability details through Tally, public feedback, public issues, social media, or other public channels.

Do not send access tokens, passwords, private repository contents, sensitive logs, or unnecessary personal data. If a report requires sensitive examples, describe the category of data and wait for a maintainer to request a safer sharing method.

Supported scope

  • The production web app and its application routes.
  • Client-side handling of GitHub URLs, optional tokens, repository trees, previews, and ZIP creation.
  • Security-relevant behavior in this project's source code and documented deployment assumptions.

Third-party platforms, including GitHub, Vercel, Tally, browsers, and package registries, should be reported through their own security programs unless the issue is caused by this app's integration code.

What to include

  • A concise description of the suspected issue and potential impact.
  • Reproduction steps using public test repositories or synthetic data whenever possible.
  • Browser, device, and route information relevant to the behavior.
  • Any safe screenshots or proof-of-concept details that do not expose secrets or private content.
  • Whether you believe the issue is actively exploitable or already public.

Responsible disclosure expectations

  • Give maintainers a reasonable opportunity to investigate and address the report before public disclosure.
  • Avoid accessing, modifying, deleting, or downloading data that is not yours.
  • Avoid service disruption, automated high-volume testing, spam, phishing, social engineering, or physical attacks.
  • Keep communication factual and private while the issue is being reviewed.

No bounty or compliance claims

The project does not currently offer a bug bounty program. This policy is practical reporting guidance and does not create legal guarantees, safe-harbor promises, service-level commitments, or compliance certifications.