| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Do not open a public GitHub issue for security vulnerabilities.
Report vulnerabilities privately via GitHub's Security Advisory feature: Report a vulnerability
Or email: security@markitdownjs.dev (if configured)
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (optional)
- Acknowledgement: within 48 hours
- Assessment: within 7 days
- Fix + disclosure: coordinated with reporter
In scope:
- Remote code execution
- Arbitrary file read/write via document parsing
- Dependency confusion attacks
- Prototype pollution
Out of scope:
- Vulnerabilities in dependencies (report upstream)
- Issues requiring physical access
- Social engineering