We take security issues in all @formosaic/* packages seriously.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them using GitHub Security Advisories. This allows us to assess the issue and work on a fix privately before public disclosure.

• A description of the vulnerability
• Steps to reproduce the issue
• Affected package(s) and version(s)
• Any potential impact you've identified

• Acknowledgment: Within 48 hours of your report
• Initial assessment: Within 5 business days
• Fix timeline: Depends on severity; critical issues are prioritized for immediate patching

This policy applies to all packages in the Formosaic monorepo:

• @formosaic/core
• @formosaic/fluent
• @formosaic/mui
• @formosaic/headless
• @formosaic/antd
• @formosaic/chakra
• @formosaic/mantine
• @formosaic/atlaskit
• @formosaic/base-web
• @formosaic/heroui
• @formosaic/radix
• @formosaic/react-aria