If you believe you have found a security vulnerability in this project or any other software maintained by Posit, PBC, we encourage you to report it responsibly. Please do not open a public issue. Instead, please use the Report a vulnerability function available via the security tab.

Your report should include (if possible):

• a clear description of the vulnerability, including impact and affected versions
• steps to reproduce the issue
• any relevant code snippets, logs, or proof-of-concept exploit
• suggested remediation or mitigation, if known

We aim to acknowledge receipt of your report within 7 business days and provide an update on remediation progress within 14 business days.

We follow a coordinated disclosure approach. Once the issue is confirmed and a fix is ready, we will:

• notify you prior to public disclosure
• credit you in the release notes (unless you prefer to remain anonymous)
• publish a security advisory and update affected versions
• if severe enough, assist with publishing a CVE

To minimize your exposure:

• always use the latest stable release
• avoid running our tools with unnecessary privileges
• review and validate third-party extensions or plugins before use