shortwatch is a static, zero-dependency tool that reads public data from the openFDA Drug Shortages API and writes JSON/CSV snapshots. It runs no server, stores no secrets, and collects no personal data. The most relevant security concerns are therefore:

• the integrity of the published data/ snapshots,
• the GitHub Actions workflow that refreshes them, and
• the static index.html dashboard.

shortwatch is released from main. Security fixes are applied to the latest release line only.

Please report suspected vulnerabilities privately — do not open a public issue for a security problem.

• Preferred: open a GitHub private security advisory.
• Alternatively, email the maintainer at acuesta@me.com with the subject line shortwatch security.

When reporting, please include:

• a description of the issue and its potential impact,
• steps to reproduce (or a proof of concept), and
• any suggested remediation.

• Acknowledgement of your report within 5 business days.
• An initial assessment and severity estimate within 10 business days.
• Coordinated disclosure once a fix is available; credit is offered to reporters who wish to be named.

• The accuracy or completeness of upstream openFDA data. shortwatch is a non-diagnostic, informational tool — see DISCLAIMER.md. Data-quality concerns should be filed as a regular data issue, not a security report.
• Findings that require a compromised maintainer account or CI environment.