If you discover a security vulnerability in theSVG, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please email: hello@thesvg.org

We will acknowledge receipt within 48 hours and provide a detailed response within 5 business days.

The following are in scope:

• The @thesvg/icons and thesvg npm packages
• The thesvg.org website
• The build and publish pipeline
• SVG content that contains malicious payloads (script tags, event handlers, etc.)

• Third-party integrations or extensions
• Individual brand icon accuracy or design (contact the brand owner)

All SVG files in this package are automatically scanned for:

• Embedded <script> tags
• Inline event handlers (onload, onerror, etc.)
• javascript: URIs
• eval() or new Function() in generated code

See packages/icons/scripts/security-audit.mjs for details.