We aim to support the latest published version of Spectre Shell WordPress. Security updates are applied to the current major version only.

Please ensure you are using the most recent version of both:

• This template
• vite and other dependencies (updated in package.json)

Older releases may not receive security fixes.

If you discover a security vulnerability, please DO NOT open a public issue. Security issues should be reported privately to protect users.

Preferred method: Use GitHub Security Advisories to privately report vulnerabilities

Alternative methods:

• Email the maintainers at [security contact - see repository]
• Direct message maintainers through GitHub

Please provide as much detail as possible to help us reproduce and assess impact:

1. Description of the vulnerability and potential impact
2. Steps to reproduce or proof-of-concept code
3. Affected versions (if known)
4. Potential attack scenarios
5. Suggested mitigation (if you have ideas)

1. Acknowledgment: We will acknowledge receipt within 48 hours
2. Assessment: We will investigate and provide an initial assessment within 5 business days
3. Updates: We will keep you informed of the fix status throughout the process
4. Resolution: We will work on a fix and coordinate disclosure timing with you
5. Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)

We appreciate responsible disclosure and will work with you to:

• Understand the scope and severity of the issue
• Develop and test a fix
• Coordinate public disclosure timing
• Credit your contribution (if desired)

Please allow us reasonable time to address the issue before public disclosure.

When using Spectre Shell WordPress:

1. Keep dependencies updated to the latest versions
2. Monitor dependencies for known vulnerabilities (npm audit)
3. Use HTTPS for all production sites
4. Follow WordPress security best practices for theme development
5. Sanitize user input in WordPress templates

This security policy covers:

• The Spectre Shell WordPress template code
• Build configuration and compilation
• WordPress theme asset loading
• TypeScript source files

This policy does NOT cover:

• Vulnerabilities in WordPress core (report to WordPress HackerOne)
• Issues in Vite, Tailwind, or other dependencies (report to their maintainers)
• WordPress plugin vulnerabilities
• Server configuration issues

For security-related questions that aren't vulnerabilities:

• Open a GitHub Discussion
• Tag maintainers in relevant issues

Thank you for helping keep this template and our community safe!