Randonnee is high-trust random-generation infrastructure. Security reports are welcome, especially around randomness, tenant isolation, authentication, authorization, request signing, receipt verification, replay, secret redaction, Docker images, and release evidence.

If you believe you found a vulnerability, contact Aatu Harju through LinkedIn:

https://www.linkedin.com/in/aatu-harju

Use the initial message to request a private reporting channel. Do not include live API keys, bearer tokens, private keys, customer data, exploit payloads against third-party systems, or other sensitive material in the first message.

Once a private channel is established, include:

• affected commit, tag, image digest, or deployment profile,
• concise impact statement,
• reproduction steps or proof of concept,
• affected endpoints, commands, or packages,
• whether secrets, tenant data, receipts, or replay evidence are exposed,
• suggested fix if known.

Security support focuses on the current master branch and current release tags. Older releases are best effort unless a commercial support agreement says otherwise.

Out of scope:

• denial-of-service reports that require unrealistic local resource access,
• issues caused only by unsupported production configuration,
• findings that depend on publishing secrets in public channels,
• requests for FIPS/NIST/CMVP, gambling, lottery, wallet, payment, settlement, anonymity, or certified-randomness claims.

Please allow time for triage and remediation before public disclosure. Public fixes should avoid exposing exploit details before affected users have a reasonable update path.