If you discover a security vulnerability in xlex, please report it by:

1. Opening a private security advisory
2. Or contacting @yen0304 directly via GitHub

Please include:

1. Description of the vulnerability
2. Steps to reproduce
3. Potential impact
4. Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: 24-48 hours
  • High: 7 days
  • Medium: 30 days
  • Low: Next release

• We follow responsible disclosure
• We will credit reporters (unless anonymity is requested)
• Public disclosure after fix is released

When using xlex:

1. Validate input files - Don't process untrusted xlsx files without validation
2. Use latest version - Keep xlex updated
3. Review templates - Template placeholders can execute data transformations
4. Limit permissions - Run with minimal file system permissions

• xlex does not execute Excel macros (VBA)
• xlex does not evaluate formulas (values only)
• Template processing is sandboxed (no arbitrary code execution)