We take security issues seriously. If you discover a vulnerability in this repository, please report it privately so we can investigate and remediate before public disclosure.

Reporting

• Preferred: use GitHub Security Advisories for private disclosure (recommended).
• Alternate: open a private issue and mark it security or contact the maintainers directly if you have an out-of-band contact.

What to include

• A clear, concise description of the vulnerability and the affected component(s).
• Steps to reproduce, proof-of-concept, or a minimal test-case.
• Your environment (OS, QuickShell version / commit, Qt version, compositor).
• Any suggested mitigations or references.

Response process

• We will acknowledge receipt within 48 hours on business days.
• We will coordinate fixes, provide timelines, and work with you on a disclosure plan.
• For high-severity issues we may issue a security advisory and a patched release.

Supported Versions

• This repository's primary development branch is main. We recommend using the latest commit from main for security fixes.

Disclosure policy

• Please do not publicly disclose a confirmed vulnerability until a fix or mitigation is available and coordinated with the maintainers.

Thank you for helping keep this project secure.