Thank you for helping keep this project secure. This document explains how to report vulnerabilities and what to expect from our responsible disclosure process.

• Latest released version
• main branch

For template repositories like this, security fixes typically land on main and are released promptly.

Please report security issues privately. Do not open a public issue.

• Preferred: create a private GitHub Security Advisory: https://github.com/sajaddp/typescript-template/security/advisories/new
• Include clear reproduction steps, impact, affected scope, environment details, and any minimal PoC or scripts needed.

There is no dedicated security email at this time; please use Security Advisories.

• Acknowledgment: within 48 business hours
• Triage and remediation plan: within 3–7 business days (severity-dependent)
• Fix/mitigation release: within 1–2 weeks (faster for critical issues)

We may contact you for clarification during triage and will keep you updated on progress.

• Please avoid public disclosure until a fix or advisory is available.
• We will coordinate public timing and, if you wish, credit you after resolution.

This policy covers only the code and configurations contained in this repository.

We encourage good-faith security research. If you follow the guidelines below, your research should not be considered a policy violation:

• Do not cause harm, service degradation, or data manipulation.
• Respect privacy; access only what is necessary and do not disclose data.
• Do not exfiltrate sensitive/personal data; include only minimal evidence.
• Limit testing to assets within this repository and authorized environments.

If you are unsure about scope or rules, contact us first via a Security Advisory.

We appreciate your time and effort. With your permission, we may credit you in release notes once the issue is resolved.