BetaUnderstand · Policy
Project security model
Understand the project security boundary and route a suspected vulnerability through private reporting.
Review security reportingEstimated time6 minutes
Trust, applicability, and sourcesMobazha v0.3 release candidate
Trust boundaries
- The backend that owns an order is authoritative for its state and protected transitions.
- The client is untrusted input and a presentation layer; hiding a control never replaces server authorization.
- Payment rails, RPCs, indexers, plugins, webhooks, media, and delivery systems are external dependencies with their own failure and threat models.
- Extensions receive minimum typed projections and scoped handles, not general database or Core access.
- Sensitive actions remain auditable without placing secrets or unnecessary personal data in logs.
Release and supply chain
The current release is a pre-release candidate. Final artifacts require vulnerability scanning, dependency and license review, SBOM generation, checksums, provenance, reproducibility evidence, secret scans, and platform-specific validation.
Security reporting
Use the affected repository's GitHub private vulnerability reporting. Do not publish exploit details, leaked credentials, signing-key concerns, or customer data in issues, chat, or documentation feedback.