The detailed threat model, capability disclosure, sandbox architecture, audit history, and the mapping of each Obsidian community plugin scanner finding to its mitigation live in REVIEWER_NOTES.md. That document is the primary reference for community plugin reviewers and security-aware users.
Please email security findings by opening an issue.
Expected response time:
- Acknowledgement: under 7 days
- Fix or documented decision to defer: under 30 days
If a vulnerability is exploitable today and you can provide a reproducer, we will prioritise it ahead of feature work.