Security fixes are applied to the latest stable release.

Older versions may not receive fixes.

Do not report vulnerabilities in public issues.

Use one of these private channels:

1. GitHub private vulnerability report: https://github.com/Foscat/Interactive-Surface-CSS/security/advisories/new
2. Maintainer contact page: https://github.com/Foscat

Please include:

• affected version or commit
• impact summary
• clear reproduction steps
• proof of concept if safe to share
• any suggested mitigation

The maintainer will aim to:

1. acknowledge receipt
2. validate and triage severity
3. prepare a fix if needed
4. publish a patch
5. disclose details after a fix is available when appropriate

This is a CSS package, but security concerns may still involve:

• release and package integrity
• dependency supply chain risk
• docs or examples that encourage unsafe patterns
• unintended interaction behavior with accessibility implications