reporting
Use the security inbox for sensitive issues
Send vulnerability reports, exposed credential concerns, authentication issues, and private workspace exposure reports to the dedicated security inbox.
Security / reporting
Report security issues through the right channel.
Security reports have a dedicated path. Product questions can use the contact form, but vulnerability details should go directly to the security inbox.
Details
Sensitive reports need the right channel.
Security reports should have a clear path and stay separate from general product requests. This page explains what to send and where to send it.
handling
Keep sensitive details out of the contact form
Do not include secrets, tokens, private repository contents, or exploit details in the general contact form. Use the security inbox instead.
detail
Include enough context to triage
Useful reports include the affected page or workflow, expected impact, reproduction notes, and whether private workspace content may be involved.
boundaries
Security starts with clear boundaries
RepoWiki is designed around private workspaces, selected repositories, visible source details, and safe document rendering.
MCP access
MCP clients use scoped tokens
MCP access is read-only, workspace-scoped, token-authenticated, metered, and revocable by workspace admins.
security contact
Send sensitive reports directly.
General product requests should use the contact form. Security reports should go directly to a dedicated inbox.
dedicated inbox
security@repowiki.devInclude impact, reproduction notes, affected area, and whether any private workspace content may be exposed.