Thank you for reporing vulnerabilities to us!

If you find a vulnerability in the Typst web application, please use the "Security" tab on GitHub to report it privately. Alternatively, send an email with [Security web app] in the subject line to hello@typst.app.

When reporting your vulnerability, please precisely describe how to trigger it and what resources you have found to be impacted.

We will try to quickly respond after checking your report. Our response will inform you whether accept the vulnerability, or whether we decline it with respect to user impact, our threat model, etc. If accepted, we will notify you once the issue got fixed. Please do not publicly disclose it beforehand.