From 558c54537e2b903c429afdd26ea5645211492b3a Mon Sep 17 00:00:00 2001 From: Arkadiy Kukarkin Date: Thu, 28 May 2026 14:07:21 +0200 Subject: [PATCH] add security disclaimer to readme --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index e44c333..5cf2ace 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,14 @@ see `config/config.go` for full list. - adopt authorization: only share owner can adopt into groups (fixes CVE-like auth bypass in upstream) - built-in rate limiting on auth and adopt endpoints (configurable, default 10 req/min/ip) +## disclaimer + +this is a best-effort port of the upstream reference backend. the security +surface has been mitigated where practical, but no third-party audit has been +performed, and risks inherent in the upstream protocol (e.g. 6-digit group pins, +view links readable by anyone with the url) are carried forward. use at your own +discretion. + ## compatibility drop-in replacement for the php backend. works with the existing android app and web frontend.