If you discover a security vulnerability in @delmaredigital/payload-puck, please report it privately so we can address it before public disclosure.

Preferred: Use GitHub's private vulnerability reporting. This creates a private draft advisory that only maintainers can see.

Alternative: Email [email protected].

Please include:

• A description of the issue and its potential impact
• Steps to reproduce
• Affected versions (if known)
• Any suggested fix or mitigation

Please do not open a public GitHub issue for security vulnerabilities.

• We aim to acknowledge reports within 3 business days.
• We will keep you updated as we investigate and develop a fix.
• Once a fix is available, we publish a GitHub Security Advisory and may request a CVE.

This project is pre-1.0. Security fixes are released against the latest published version only. If you are on an older release, please upgrade.

We follow coordinated disclosure. Once a fix is published, we publish a security advisory crediting the reporter (with their permission). Past advisories are visible in the Security tab.