If you discover a security vulnerability in Scriptty, please report it privately so it can be fixed before public disclosure.
Preferred: use GitHub's private vulnerability reporting.
Alternative: email the maintainer at hrishi.kb@gmail.com with a description, reproduction steps, and impact assessment.
You should expect an initial response within 7 days. Please do not file public issues for security problems.
In scope:
- The Scriptty desktop application (Tauri shell, SvelteKit UI, Typst rendering pipeline)
- The release / build workflows under
.github/workflows
Out of scope:
- Third-party dependencies (report upstream and notify us)
- Content within user-authored screenplays