Security Policy Scope Security coverage applies to the main branch and published releases; forks and custom deployments are self-supported. The project ships static assets (HTML, CSS, JavaScript). Server-side incidents fall outside this scope. Reporting Do not open public issues for suspected vulnerabilities. Submit reports through GitHub's "Report a vulnerability" workflow or email the maintainer listed on the repository profile. Provide reproduction steps, affected files, browser context, and any suggested mitigations. Mark the report as time-bound if external disclosure deadlines apply. Response Maintainers acknowledge valid reports as bandwidth permits and will coordinate fixes and disclosure timing with the reporter.