Only the latest version on main is supported with security updates.

If you discover a security vulnerability, please report it responsibly:

1. Do not open a public issue
2. Use GitHub Security Advisories to report privately
3. You should receive an acknowledgment within 48 hours

The following areas are in scope for security reports:

• Profile code (Microsoft.PowerShell_profile.ps1) - command injection, unintended code execution
• Setup scripts (setup.ps1, setprofile.ps1) - privilege escalation, unsafe downloads
• Update mechanism (Update-Profile) - hash verification bypass, MITM concerns
• Credential handling - API key exposure (e.g., VirusTotal), PSReadLine history filtering

• Update-Profile requires SHA-256 hash verification (or explicit -SkipHashCheck)
• PSReadLine history filters out lines containing: password, secret, token, api[_-]?key, connectionstring, credential, bearer
• Repository download URLs are centralized (not hardcoded inline)