Please report security vulnerabilities privately — do not file public GitHub issues for security problems.

Use GitHub's Private Vulnerability Reporting for this repository. This routes the report directly to the maintainers and keeps the disclosure confidential until a fix is available.

This repository hosts the Apollo design system: @uipath/apollo-core, @uipath/apollo-react, @uipath/apollo-wind, @uipath/ap-chat, and supporting tooling. Reports about these packages — including their build pipeline, published artifacts, and the public documentation deployments — are in scope.

Out of scope: vulnerabilities in third-party dependencies that have a published advisory; report those upstream.

We aim to acknowledge reports within 3 business days. After triage we will work with you on a disclosure timeline. Coordinated disclosure is appreciated.