If you discover a security vulnerability in Tiptap, please report it responsibly. We appreciate your help in keeping our users safe.

Please do not report security vulnerabilities through public GitHub issues.

Send details to [email protected]. Include a description of the vulnerability, steps to reproduce, and any potential impact.

We will acknowledge receipt within 48 hours and provide updates as we investigate.

Vulnerabilities are assessed and prioritized based on severity, exploitability, and business impact. Fixes are deployed according to the following timelines:

• Critical (e.g., remote code execution, data breaches): Fixed and released within 24 hours.
• High (e.g., significant data exposure): Fixed and released within 72 hours.
• Medium (e.g., moderate leaks): Fixed and released within 14 days.
• Low (e.g., minor issues): Addressed in the next scheduled update.

We follow responsible disclosure practices and will credit reporters unless requested otherwise.

This policy applies to all Tiptap packages and related infrastructure. Reports are handled through our established vulnerability management process.

For questions, email [email protected] or [email protected].