This template repository does not currently publish versioned software releases.

Repositories generated from this template should replace this section with their own supported version policy before publishing or accepting production use.

Please do not report suspected vulnerabilities in public issues, pull requests, or discussions.

If GitHub private vulnerability reporting is enabled for this repository, use the repository's Security tab to submit a private vulnerability report.

If private vulnerability reporting is not enabled, contact the maintainers through the public project channels and ask for the appropriate private reporting path. Do not include exploit details, secrets, personal data, or sensitive technical details in public messages.

When a private reporting path is available, include:

• A clear description of the issue.
• Affected files, templates, workflows, packages, or generated repository defaults.
• Steps to reproduce, proof of concept, or attack scenario when safe to share.
• Potential impact.
• Suggested mitigation, if known.

Maintainers will review good-faith reports as capacity allows.

This policy does not provide paid support, guaranteed response times, guaranteed fixes, or service-level agreements. Generated repositories should define their own response expectations if they need a stricter policy.

In scope:

• Insecure defaults in this template.
• Templates that could cause generated repositories to expose secrets or unsafe workflows.
• CI, dependency, or release guidance that creates avoidable security risk.

Out of scope:

• Vulnerabilities in unrelated downstream projects that only copied part of this template.
• General support requests.
• Requests for guaranteed maintenance timelines.

Repositories generated from this template must customize their security policy before public release. See docs/security-policy.md for guidance.