# Security Policy

## Supported Versions

Security fixes are applied to the latest stable release.

Older versions may not receive fixes.

## Reporting a Vulnerability

Do not report vulnerabilities in public issues.

Use one of these private channels:

1. GitHub private vulnerability report: `https://github.com/Foscat/Interactive-Surface-CSS/security/advisories/new`
2. Maintainer contact page: `https://github.com/Foscat`

## What to Include

Please include:

- affected version or commit
- impact summary
- clear reproduction steps
- proof of concept if safe to share
- any suggested mitigation

## Response Process

The maintainer will aim to:

1. acknowledge receipt
2. validate and triage severity
3. prepare a fix if needed
4. publish a patch
5. disclose details after a fix is available when appropriate

## Scope Notes

This is a CSS package, but security concerns may still involve:

- release and package integrity
- dependency supply chain risk
- docs or examples that encourage unsafe patterns
- unintended interaction behavior with accessibility implications