# Security Policy
## Supported Versions
I try to keep the latest released minor version of dotfiles patched for security issues.
Older releases are best-effort — if you're on one, upgrading is the shortest path to a fix.
| Version | Supported |
| --------- | ------------------ |
| latest | yes |
| previous | best-effort |
| older | no |
## Reporting a Vulnerability
If you think you've found a security issue in dotfiles (personal shell/editor/tmux/nvim config), please do not open a public
GitHub issue. Instead, email **security@merce.dev** with:
- A short description of the problem
- A minimal reproduction or proof-of-concept
- The version / commit you found it on
- Any impact assessment you've already done
I'll acknowledge within 72 hours and try to have an initial triage within a week.
For issues that turn out to be real, I aim to ship a fix within 30 days, coordinate a
disclosure date with you, and credit you in the release notes unless you'd rather be
anonymous.
## Out-of-scope
- Issues in third-party dependencies (please report those upstream; I'll pull in fixes)
- Social-engineering / phishing scenarios
- Self-inflicted "what if the attacker already has root" cases
## Thanks
This is a small project and I appreciate the time it takes to report things responsibly.