HMD processes untrusted text, renders HTML, imports generated HTML, distributes native binaries, and exposes WASM bindings. Security reports are treated as release-blocking when they affect user data, local files, generated HTML safety, install flows, or parser/runtime reliability.

HMD is currently pre-1.0 alpha.

Until a stable release exists, users should upgrade to the latest alpha for fixes.

Preferred path: use GitHub's private vulnerability reporting from the repository Security tab.

If private reporting is not available, do not post exploit details in a public issue. Open a minimal public issue asking for a security contact, without disclosing the vulnerability details.

Please include, when safe:

• Affected package, binary, or artifact.
• A minimal input file or reproduction steps.
• Expected impact.
• Whether the issue is already public.
• Any suggested mitigation.

Current alpha-stage targets:

• Acknowledge report: within 3 business days.
• Initial triage: within 7 business days.
• Fix timeline: based on severity and release complexity.
• Disclosure: coordinated after a fix or mitigation is available.

These are targets, not contractual guarantees.

• Parser crashes, resource exhaustion, or denial of service on crafted .hmd input.
• Unsafe HTML rendering, script injection, or broken escaping.
• Importer behavior that trusts untrusted HTML incorrectly.
• CLI file overwrite, path traversal, or unsafe filesystem behavior.
• WASM boundary issues that expose unsafe behavior to host applications.
• Release artifact tampering, installer compromise, or checksum mismatch.
• Dependency vulnerabilities affecting distributed binaries or libraries.

• Issues requiring arbitrary code execution by a trusted local user.
• Vulnerabilities only present in modified forks.
• Social engineering, spam, or account takeover outside this repository.
• Third-party profiles or plugins not maintained by this project.

• HMD documents must not execute arbitrary code.
• HTML output must be safe by default and readable without JavaScript.
• Third-party profile execution should be disabled by default unless explicitly designed and sandboxed.
• Release artifacts should be verifiable through checksums, and future stable releases should add stronger provenance.