This template expects generated projects to use GitHub private vulnerability reporting. Replace this file with the actual support policy before publishing a generated repository.

Do not claim support windows or release lines until the generated project actually maintains them. For a brand-new project, a short policy such as "only the latest release is supported" is usually enough.

Report vulnerabilities privately through GitHub's private vulnerability reporting flow when it is enabled for the generated repository.

Do not use public GitHub issues, pull requests, discussions, chat channels, or other public forums for vulnerability reports.

When reporting a vulnerability, include as much of the following as possible:

• affected version, commit, or deployment identifier
• a description of the issue and the security impact
• steps to reproduce or a minimal proof of concept
• any relevant logs, screenshots, or traces
• any suggested mitigations or fixes, if available

If the project has a documented disclosure timeline, add it here. If not, keep the policy short and avoid inventing guarantees.