HopsMD is pre-1.0 and only the latest minor receives fixes.

Please do not open a public issue for security findings.

Use GitHub's private vulnerability reporting:

1. Go to https://github.com/lootwitch/HopsMD/security/advisories/new
2. Fill in what you observed, how to reproduce, and the impact you see
3. Submit — the report is visible only to repo maintainers

You'll get an acknowledgement within a few days. If the finding is valid, we'll work on a fix in a private draft advisory and credit you (or stay anonymous if you prefer) in the release notes when the patched version ships.

In scope for security reports:

• The Tauri Rust backend (filesystem access, command handlers, watcher)
• Markdown rendering pipeline (marked, DOMPurify, Angular sanitization)
• Mermaid diagram rendering
• The auto-updater signature verification

Out of scope:

• Third-party crates / npm packages — please report upstream
• SmartScreen warnings on unsigned installers — that's the documented state during the MVP (see docs/RELEASE.md)
• Reading arbitrary files outside the chosen Sudhaus is a feature of tap_recipe by design (the user picks the folder); only behaviour that bypasses the user-selected scope qualifies

The ed25519 private key used to sign update artefacts is held as a GitHub Actions secret and never appears in this repo. If you suspect the key has been compromised, treat that as in scope and report it.