Security fixes are applied to the most recent minor release line on master.
Older majors are best-effort only; please upgrade to receive patches.
| Version | Supported |
|---|---|
| 2.x | ✅ |
| < 2.0 | ❌ |
Please do not open a public GitHub issue for security reports. They are indexed by search engines as soon as they appear, which often defeats the point of responsible disclosure.
Instead, use one of the following private channels:
- GitHub's Private Vulnerability Reporting (preferred).
- Email the maintainer at the address listed on the GitHub profile.
When you report, please include:
- A description of the vulnerability and its impact.
- Steps to reproduce, ideally a minimal proof of concept.
- The affected version, environment and config.
- Whether you have a suggested fix.
| Stage | Target SLA |
|---|---|
| Acknowledgement | within 48 hours of receipt |
| Initial assessment | within 5 working days |
| Fix or mitigation | proportional to severity (CVSS-driven) |
| Public disclosure | coordinated with the reporter; default 90 days |
We will credit reporters in the release notes unless you ask to remain anonymous.
This boilerplate ships with the controls listed in
wiki/instructions.md.
If you find one of those controls is not actually enforced in code, that is a
security bug — please report it via the channels above.