If you believe you have discovered a security vulnerability affecting any part of this project, please report it responsibly using one of the methods below.
For vulnerabilities affecting repositories hosted on GitHub, please use GitHub’s Private Vulnerability Reporting feature. This allows you to confidentially report security issues directly through the repository, without public disclosure.
This is the recommended reporting method for GitHub-hosted components.
If GitHub Private Vulnerability Reporting is unavailable or unsuitable for your report, you may contact us via email.
Email: hi@spicylyrics.org
Please include:
- A clear description of the issue
- Steps to reproduce (if applicable)
- Potential impact
- Any relevant logs, screenshots, or proof-of-concept details
Do not open public GitHub issues or pull requests to report security vulnerabilities.
This project is a multi-component application consisting of:
- Frontend application (open source, Spicetify extension)
- Backend services (private, SaaS)
- Public but closed-source services
- Supporting websites, APIs, and infrastructure
Security reports affecting any component of the project are in scope, even when the affected component is closed-source, private, or operated as a hosted service.
CVE identifiers may be issued only for vulnerabilities affecting publicly distributed components.
Vulnerabilities limited to backend services, private infrastructure, or hosted-only components may be documented without a CVE identifier.
We review security reports internally and determine appropriate remediation and disclosure on a case-by-case basis.
We ask that security issues are not publicly disclosed before we have had an opportunity to review and address the report.