Please do not open a public GitHub issue for security vulnerabilities.

Instead, report vulnerabilities privately using one of the following methods:

1. GitHub Private Vulnerability Reporting: Use the Security Advisories page to submit a private report directly on GitHub.
2. Email: Send details to scott@ScottsSecondAct.com.

• Description of the vulnerability
• Steps to reproduce
• Affected version(s)
• Potential impact

• Acknowledgment within 72 hours of your report
• Status update within 7 days with an initial assessment
• Resolution timeline communicated once the issue is confirmed
• Credit in the release notes (unless you prefer to remain anonymous)

Delineata is a client-side web application that processes user-supplied diagram files (.dlnt, .vsdx) entirely in the browser. Relevant security concerns include:

• Unsafe parsing of malicious .vsdx or .dlnt archive content
• Cross-site scripting (XSS) via injected SVG or HTML content in diagram files
• Denial of service via crafted files that trigger excessive memory or CPU usage
• Unintended data exfiltration through the file export pipeline

• Issues requiring physical access to the machine
• Social engineering
• Vulnerabilities in upstream dependencies with existing fixes (please check first)