Skip to content

Security: joehunt/lean-coffee

Security

SECURITY.md

Security Policy

Supported versions

Lean Coffee is pre-1.0 and under active development. Security fixes are applied to the latest main.

Reporting a vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Instead, use GitHub's private vulnerability reporting ("Report a vulnerability" under the Security tab). Include:

  • A description of the issue and its impact
  • Steps to reproduce (proof-of-concept if possible)
  • Affected version / commit and your environment

You can expect an initial response within a few days. We'll keep you updated on remediation and coordinate disclosure once a fix is available.

Scope & threat model

Lean Coffee is a self-hosted, single-session meeting tool intended to be run by a facilitator on their own machine. By design it favors low friction over hard security:

  • Anonymous participants. Join requires no account; identity is a browser-local token.
  • Host authority is a secret token. The /host/<id>?t=<token> link grants facilitator powers; treat that URL like a password and don't share it with participants.
  • Public tunnel. npm start exposes the app on a public trycloudflare.com URL. Anyone with the link can join the session, submit topics, and vote. Don't put sensitive content in topic text.

Reports that strengthen this model — host-token leakage, vote/integrity bypasses, injection, denial of service, or unsafe defaults — are very welcome.

There aren't any published security advisories