Thanks for helping keep ThoughtsPlus and its users safe.

Please do not create public issues, pull requests, or social media posts for security reports.

Preferred method:

1. Use GitHub's Private Security Advisories for this repository.
2. Provide the details listed in "What to include" below.

If private advisories are not available on your account, open a minimal issue asking for a private contact method and we will follow up.

• A clear description of the vulnerability and potential impact
• Steps to reproduce (proof of concept if possible)
• Affected versions or commit SHAs (if known)
• Any relevant logs, screenshots, or stack traces

We focus security fixes on:

• The latest Microsoft Store release of ThoughtsPlus
• The current main branch

Older releases may not receive patches.

Please allow time for triage and a fix before public disclosure. We aim to acknowledge reports within 7 days and provide status updates as we make progress.

• Social engineering or physical attacks
• Denial of service against hosted services
• Issues only affecting third-party dependencies (please report upstream as well)