The following versions of PDFX currently receive security updates:

Please do not report security vulnerabilities through public GitHub Issues.

If you discover a security vulnerability in PDFX, please report it responsibly by opening a private security advisory via the GitHub Security tab.

Please include the following in your report:

• A description of the vulnerability and its potential impact
• Step-by-step instructions to reproduce the issue
• Any proof-of-concept code, if applicable
• Your suggested fix, if you have one

• Acknowledgement: Within 48 hours of receiving your report
• Initial assessment: Within 5 business days
• Fix & disclosure: We aim to release a patch within 30 days for confirmed vulnerabilities

We will keep you informed throughout the process and credit you in the release notes (unless you prefer to remain anonymous).

This policy covers the following:

• @akii09/pdfx-cli — the PDFX command-line interface
• @pdfx/shared — shared types, schemas, and theme system
• The PDFX documentation site (apps/www)

Out of scope:

• Vulnerabilities in third-party dependencies (please report those upstream)
• Issues that require physical access to a user's machine

We follow a coordinated disclosure model. After a fix is released, we will publish a security advisory on GitHub with details of the vulnerability, its impact, and the fix.

Thank you for helping keep PDFX and its users safe!