If you discover a security vulnerability, please do not disclose it publicly through GitHub Issues, Discussions, or pull requests.

Instead, please report it by email:

Security contact: 0125ses@hanmail.net

Please use the following email subject format when possible:

[Security] Brief vulnerability title

For example:

[Security] XSS vulnerability in editor preview
[Security] Possible HTML injection via paste handler

When reporting a vulnerability, please include as much detail as possible, such as:

• A clear description of the vulnerability
• Type of vulnerability, such as XSS, injection, bypass, or information disclosure
• Steps to reproduce the issue
• Potential impact
• Any suggested fix, if available

We will review the report and respond as soon as possible. You can generally expect an initial response within 7 days.

If the vulnerability is accepted, we will investigate the issue, work on a fix, and coordinate disclosure if needed. Once a fix is available, we may publish a security advisory, release notes, or changelog entry depending on the severity.

We are happy to credit reporters for responsibly disclosed vulnerabilities, unless they prefer to remain anonymous. Public credit will usually be given after the issue has been fixed or safely disclosed.

If you want to notify us publicly that a report has been sent, you may open a GitHub Issue with a general title such as:

[Security] Vulnerability report sent by email

Do not include technical details, reproduction steps, proof-of-concept code, screenshots, payloads, affected locations, or any other sensitive information in the public issue.

If the report is declined, we will explain the reason when possible.

Please avoid sharing vulnerability details publicly until we have had a reasonable amount of time to investigate and address the issue.