To report a vulnerability, please privately report it via the Security tab on the correct GitHub repository (see documentation). Do not open a public issue. Provide:

• A clear description of the issue
• Steps to reproduce
• Expected vs actual behavior
• Potential impact
• A proof of concept if possible
• Affected commit / version (if known)

We aim to acknowledge receipt of a valid report within 1 week.

We aim to provide a remediation plan or decision within 4 weeks. Actual fix time may be shorter or longer depending on severity, complexity, and scope.

In scope:

• Vulnerabilities introduced by code in this repository
• Supply-chain risks caused by how this repository consumes or distributes its own code (e.g. insecure Github Actions)

Out of scope:

• Issues only present in third-party dependencies (please report those upstream)
• Issues that can only be exploited when the underlying platform (browser, server runtime) is compromised
• Using untrusted user content without sanitization in places that are not explicitly sanitized by the framework (for example in Svelte putting user content into {@html ...} is unsanitized, {...} is sanitized insofar as the content cannot alter the HTML structure to e.g. insert script tags)
• Denial of service via excessive legitimate use

Please keep reports private until a fix is released and a Security Advisory is public.

By default, we do not publish CVEs for vulnerabilities solely affecting experimental features, though we may opt to publish one if the vulnerability is unusually severe or easy to exploit. An experimental feature is one that is clearly gated behind an experimental.{name} configuration flag.

We reserve the right to publish our own CVEs. Please do not pre-reserve CVE records or attempt to publish your own CVE. If we do publish a CVE, we will ensure you receive credit for your discovery and any work you may do to help patch it.