Security Policy
Source of truth
AppSurface is pre-v1.0.0, but security reports still need a private path.
Reporting a vulnerability
Do not open a public GitHub issue for suspected vulnerabilities, leaked secrets, exploit details, or reports that include sensitive deployment information.
Use GitHub's private security advisory flow instead: report a vulnerability privately.
If GitHub does not show the private reporting form for your account, open a public issue titled security contact request with no vulnerability details and ask a maintainer for a private disclosure channel. Include only non-sensitive routing context, such as the affected package name, when that information is safe to share publicly.
What to include
- The affected package, example, tool, or documentation surface.
- The smallest reproduction you can safely share.
- The potential impact and any known preconditions.
- Whether the issue is already public or actively exploited.
Public issue forms
The bug and docs/developer-experience issue forms are for non-sensitive reports only. Maintainers may move public issues into a private disclosure flow if a report contains security-sensitive details.