If you discover a security vulnerability in motrix-cloud-worker, please report it privately. Do NOT open a public issue.

• Email: security@fordrax.com
• Response time: within 72 hours
• Coordinated disclosure window: 90 days from confirmation

When reporting please include:

• Affected version (commit SHA or tag)
• Reproduction steps or proof of concept
• Impact assessment (what an attacker could do)
• Suggested mitigation if you have one

We follow coordinated vulnerability disclosure and will credit reporters in release notes unless they prefer to remain anonymous.

This worker runs untrusted scan targets in an isolated Cloud Run Job container. It does not accept network ingress except via the Cloud Run invoker token and reads job state exclusively from a Supabase service-role connection.

Risks we explicitly mitigate:

• SSRF from scan targets pivoting to GCP metadata: container has no service account access to internal APIs.
• Memory exhaustion: enforced 2GiB cap and 30 min task timeout.
• Output injection into Supabase: all writes use parameterized inserts.
• Nuclei template tampering: templates are baked into the image at build time.

Risks out of scope:

• DoS of arbitrary targets — caller responsibility (we cap req/s).
• Supabase service-role key leakage — environment-variable handling is the consumer's responsibility (use Workload Identity Federation).