If you discover a security vulnerability in OpenPlans, please report it privately rather than opening a public issue.

The preferred channel is GitHub's private vulnerability reporting:

1. Go to https://github.com/OpenGeometry-io/OpenPlans/security/advisories.
2. Click Report a vulnerability.
3. Fill in the form with as much detail as you can: affected version(s), reproduction steps, impact, and any suggested mitigation.

We aim to acknowledge reports within 72 hours and to provide a remediation plan within 14 days for confirmed issues.

OpenPlans is a browser-side library that runs entirely in the user's browser. We are particularly interested in:

• Vulnerabilities in our published npm package (@opengeometry/openplans)
• Issues in the underlying OpenGeometry WebAssembly kernel that are exposed through OpenPlans APIs
• Cross-site scripting (XSS) or unsafe DOM behavior introduced by the library
• IFC, PDF, or DXF exports that produce malformed or unsafe output capable of harming downstream consumers

Out of scope:

• Vulnerabilities in user-deployed applications that integrate OpenPlans
• Issues in third-party peer dependencies (three, camera-controls, jspdf, lil-gui) — please report those upstream

We follow a coordinated disclosure model. After a fix lands and is published, we credit the reporter in the release notes unless they prefer to remain anonymous.