I'm bringing on a contributor whose specific focus is keeping an eye on Bambuddy's security going forward.

What the role looks like:

Track the dev branch and flag changes touching auth, permissions, token handling, or the CI security backstops. Async post-merge, so it doesn't gate in-flight PRs — findings get raised before the next release cut.

What I'm looking for:

• A habit of fail-closed thinking. Knowing why "except Exception: return <permissive>" is dangerous by default matters more than formal background.
• Comfortable reading FastAPI + SQLAlchemy on the backend and a small React/TypeScript surface on the frontend.
• Time commitment is whatever you can spare. No fixed schedule, no SLA.

If interested, or you know someone who'd fit, email martin@bambuddy.cool. Happy to chat about the shape before any commitment.

Martin