Report suspected security issues privately to tohsh17@gmail.com.

Include the affected URL or feature, clear reproduction steps, impact, and any proof-of-concept details that help the CmdTab team validate the issue quickly.

Do not publish exploit details, publicly disclose unpatched vulnerabilities, or access data that does not belong to you.

Do not send large-scale denial-of-service traffic, automated abuse against the site, or destructive payloads against the production service.

The current public web surface is the CmdTab marketing site, privacy page, security page, and the hosted trial / purchase links exposed from the site.

The native macOS app should also be reported through the same security contact if you identify a security-sensitive issue.