This document outlines security procedures and policies for the Citizen skin.

Only the latest version of the skin is supported with security updates. Security updates are not backported to older versions.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report all vulnerabilities privately through GitHub.

You should receive a response within 24 hours. All coordination and disclosure are handled through the GitHub advisory.

We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

We consider security research and vulnerability disclosure activities conducted in accordance with this policy to be authorized. We will not take legal action against you for research and disclosure activities that follow this policy.

For the security advisory to be published:

• The security advisory must contain a CVE ID
• The vulnerability must be fixed in the main branch
• A new release must be published