We provide security updates for the main branch and the latest release line.
Older versions may not receive patches.
| Version | Supported |
|---|---|
main |
Yes |
| Latest release | Yes |
| Older releases | No |
Please do not open public GitHub issues for security vulnerabilities.
To report a vulnerability, email:
bo.li@microsoft.com
Include the following details when possible:
- A clear description of the issue and potential impact.
- Steps to reproduce (or a proof of concept).
- Affected versions, branches, and files.
- Any suggested mitigation.
We will:
- Acknowledge receipt within 5 business days.
- Validate and triage the report.
- Work on a fix and coordinate disclosure timing.
- Credit the reporter when appropriate and requested.
We follow responsible disclosure:
- Keep reports private until a fix or mitigation is available.
- Coordinate release notes with severity and affected scope.
- Encourage reporters to avoid publishing exploit details before patch release.