The Vuetify team takes security seriously. We appreciate your efforts to responsibly disclose vulnerabilities and will make every effort to acknowledge your contributions.

For the full threat model, security properties, supply-chain hardening, and CSP guidance, see the Security documentation.

To report a security issue, email security@vuetifyjs.com and include the word "SECURITY" in the subject line.

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

You can also report a vulnerability through GitHub Security Advisories.

Report security bugs in third-party modules to the maintainers of those modules.

1. Initial Response — We will acknowledge receipt within 48 hours
2. Investigation — We will investigate and keep you informed of progress
3. Resolution — We will prepare and release fixes as quickly as possible
4. Credit — We will credit you in the release notes (unless you prefer anonymity)

When we receive a security report, we will:

• Confirm the problem and determine affected versions
• Audit code to find any similar issues
• Prepare fixes for all maintained releases
• Release fixes to npm as quickly as possible

Internally, security incidents are handled according to a formal Incident Response Plan that defines severity classification, response timelines, and escalation procedures.

We harden the path from source to published package:

• Dependency cooldown — a newly published dependency version must age 14 days before it can be installed (first-party and dev/build toolchain packages are exempt), giving time for a compromised release to be detected and pulled.
• Committed lockfile — pnpm-lock.yaml is version-controlled for reproducible installs.
• Pinned CI actions — Vuetify-owned GitHub Actions are pinned to commit SHAs, not mutable branch refs.

See the Security documentation for the full breakdown.

This policy applies to the @vuetify/v0 package and related packages in this repository.