# Security Policy — TypeCrt

## Supported Versions

Currently, only the latest release version of TypeCrt is supported with security updates. We highly recommend running the most recent version available to ensure you have the latest features, performance improvements, and security patches.

| Version | Supported          |
| ------- | ------------------ |
| v1.0.x  | :white_check_mark: |
| < 1.0.0 | :x:                |

## Reporting a Vulnerability

Security is a top priority for TypeCrt. If you discover a vulnerability or potential security issue, please report it immediately.

**Please DO NOT open a public GitHub issue for security vulnerabilities.**

Instead, please send an email directly to **<lunamaze.dev@gmail.com>**. When reporting, please include:

1. A description of the vulnerability.
2. The steps required to reproduce the issue.
3. The browser and version you are using.
4. Any potential impact or severity assessment.

We will acknowledge receipt of your vulnerability report within 48 hours and strive to send you regular updates about our progress. If the vulnerability is confirmed, we will release a patch as soon as possible.

## Data Security & Privacy

As outlined in our [Privacy Policy](./PRIVACY.md), TypeCrt is entirely client-side. It does not send typing data, keystrokes, or profile information to any external server. All configuration and analytics data is stored securely in your browser's local storage (`localStorage`).

Vulnerabilities typically associated with remote code execution, database injection, or unauthorized API access are non-existent by design in our client-side architecture. However, we remain vigilant against potential vulnerabilities such as Cross-Site Scripting (XSS) or malicious data injection via custom quotes.