We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:

If you discover a security vulnerability, please do not open a public issue. Instead, please report it via one of the following methods:

1. Email: Send an email to the maintainers (if contact information is available)
2. Private Security Advisory: Use GitHub's private vulnerability reporting feature if available

Please include the following information:

• Type of vulnerability
• Full paths of source file(s) related to the vulnerability
• Location of the affected code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue

We will acknowledge receipt of your vulnerability report and work to validate and address it as quickly as possible.

• We will acknowledge your report within 48 hours
• We will provide a detailed response to your report within 7 days
• We will keep you informed of the progress towards fixing the vulnerability
• We will notify you when the vulnerability has been fixed

We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.