The Vuetify team takes security seriously. We appreciate your efforts to responsibly disclose vulnerabilities and will make every effort to acknowledge your contributions.
For the full threat model, security properties, and CSP guidance, see the Security documentation.
To report a security issue, email security@vuetifyjs.com and include the word "SECURITY" in the subject line.
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
You can also report a vulnerability through GitHub Security Advisories.
Report security bugs in third-party modules to the maintainers of those modules.
- Initial Response — We will acknowledge receipt within 48 hours
- Investigation — We will investigate and keep you informed of progress
- Resolution — We will prepare and release fixes as quickly as possible
- Credit — We will credit you in the release notes (unless you prefer anonymity)
When we receive a security report, we will:
- Confirm the problem and determine affected versions
- Audit code to find any similar issues
- Prepare fixes for all maintained releases
- Release fixes to npm as quickly as possible
Internally, security incidents are handled according to a formal Incident Response Plan that defines severity classification, response timelines, and escalation procedures.
This policy applies to the @vuetify/v0 package and related packages in this repository.