If you believe you've found a security vulnerability in Website Starter, please report it privately rather than opening a public issue:

1. GitHub Security Advisories (preferred): use the security advisories tab on this repository. GitHub will route the report directly to maintainers and allow private back-and-forth.
2. Email: send details to david@davidvictor.me with the subject line Security: <short description>.

Please include:

• A description of the issue and its potential impact.
• Steps to reproduce, ideally with a minimal example.
• The version / commit you tested against.

You should receive an acknowledgement within 72 hours. Critical issues will be triaged and patched ahead of the regular release cadence.

Website Starter is a starter template, not a production application. Reports that apply to the project itself (e.g., a dependency vulnerability, a build-config issue, an XSS in a shipped block) are in scope. Reports about a downstream client clone are best handled with that project's maintainer.

We follow a 90-day coordinated disclosure window by default. Issues are credited in the advisory unless the reporter prefers to remain anonymous.