# Security Policy
## Supported Versions
The following versions of `penmanship` are currently supported with security updates:
| main | :white_check_mark: |
| < 1.0 | :x: |
**Note**: This project is currently in pre-1.0 development. Security fixes are applied to the `main` branch. Once version 1.0 is released, this policy will be updated to reflect supported release versions.
## Reporting a Vulnerability
We take the security of `penmanship` seriously.
### How to Report
**Please do not report security vulnerabilities through public GitHub issues.**
Instead, please report security vulnerabilities via one of the following methods:
1. **GitHub Security Advisories** (preferred): Use GitHub's [private vulnerability reporting](https://github.com/theroyalwhee0/penmanship/security/advisories/new)
2. **Email**: Contact the maintainer directly (see GitHub profile for contact information)
You can also send to [security@theroyalwhee.com](mailto:security@theroyalwhee.com). See <https://www.theroyalwhee.com/security/policy/>
### What to Include
Please include as much of the following information as possible:
- Type of vulnerability (e.g., input validation, denial of service, etc.)
- Step-by-step instructions to reproduce the issue
- Affected versions or commits
- Potential impact of the vulnerability
- Any suggested fixes or mitigations
### What to Expect
- **Initial Response**: Within 72 hours of your report
- **Status Update**: Within 2 weeks
- **Fix Timeline**: Based on severity and complexity
- **Credit**: Security researchers will be credited in release notes unless they prefer to remain anonymous
### Security Scope
Security issues of particular concern for `penmanship` include:
- Input validation issues that could lead to denial of service
- Dependency vulnerabilities
- Supply chain security issues
Thank you for helping keep `penmanship` and its users safe!