Lean Coffee is pre-1.0 and under active development. Security fixes are applied to the latest main.
Please do not report security vulnerabilities through public GitHub issues.
Instead, use GitHub's private vulnerability reporting ("Report a vulnerability" under the Security tab). Include:
- A description of the issue and its impact
- Steps to reproduce (proof-of-concept if possible)
- Affected version / commit and your environment
You can expect an initial response within a few days. We'll keep you updated on remediation and coordinate disclosure once a fix is available.
Lean Coffee is a self-hosted, single-session meeting tool intended to be run by a facilitator on their own machine. By design it favors low friction over hard security:
- Anonymous participants. Join requires no account; identity is a browser-local token.
- Host authority is a secret token. The
/host/<id>?t=<token>link grants facilitator powers; treat that URL like a password and don't share it with participants. - Public tunnel.
npm startexposes the app on a publictrycloudflare.comURL. Anyone with the link can join the session, submit topics, and vote. Don't put sensitive content in topic text.
Reports that strengthen this model — host-token leakage, vote/integrity bypasses, injection, denial of service, or unsafe defaults — are very welcome.