Note: Only the latest stable release and the current pre-release branch receive security updates.

說明：僅最新正式版與當前預發布分支會收到安全更新。

DO NOT open a public GitHub issue for security vulnerabilities.

請勿以公開 GitHub issue 回報安全漏洞。

Instead, please report security vulnerabilities through one of these channels:

請透過以下管道回報安全漏洞：

1. GitHub Security Advisories (Recommended | 推薦)

   • Go to Security Advisories
   • This ensures the report is private and tracked

2. GitHub Private Vulnerability Reporting

   • Go to Report a Vulnerability
   • Follow the guided reporting process

Please include the following information:

請包含以下資訊：

• Description | 描述: A clear description of the vulnerability
• Steps to Reproduce | 重現步驟: Detailed steps to reproduce the issue
• Impact | 影響範圍: What an attacker could achieve
• Affected Versions | 受影響版本: Which versions are affected
• Suggested Fix | 建議修復方式: If you have a suggestion (optional)

• Vulnerabilities in third-party dependencies (report to upstream maintainers)

• Issues in user projects that adopt UDS standards

• Social engineering attacks

• 第三方依賴的漏洞（請回報給上游維護者）

• 採用 UDS 標準的使用者專案中的問題

• 社交工程攻擊

We follow Coordinated Disclosure:

我們遵循協調揭露原則：

1. Reporter submits vulnerability privately | 回報者私下提交漏洞
2. We acknowledge and assess | 我們確認並評估
3. We develop and test a fix | 我們開發並測試修復
4. We release the fix | 我們發布修復
5. We publicly disclose the vulnerability (with credit to reporter) | 我們公開揭露漏洞（附上回報者致謝）

We will credit reporters in the release notes unless they prefer to remain anonymous.

除非回報者希望匿名，否則我們會在發布說明中致謝。

When using UDS in your projects:

在您的專案中使用 UDS 時：

• Keep UDS CLI updated to the latest version | 保持 UDS CLI 為最新版本
• Review standards before adopting (especially security-standards.md) | 採用前審閱標準（特別是 security-standards.md）
• Run npm audit regularly on your projects | 定期對專案執行 npm audit
• Follow the security standards defined in core/security-standards.md | 遵循 core/security-standards.md 定義的安全標準