Only the latest minor version releases are supported (>= 0.13) for accepting vulnerability reports and patching fixes.
Existing vulnerability reports are being tracked in GitHub Security Advisories.
Important
Starting Nov 9, 2023 00:00 UTC, only security vulnerabilities reported through GitHub Security Advisories are accepted.
Pre-existing vulnerability reported through https://huntr.dev/ or email ([email protected]) will continue to be worked through.
- Report an advisory for the vulnerability.
- Please be aware that only advisories reported in plain English will be reviewed.
- Project maintainers review the advisory:
- Ask clarifying questions
- Make sure there was no prior advisory exists for the same vulnerability
- Confirm or deny the vulnerability
- Once the advisory is accepted, the reporter may submit a patch or wait for project maintainers to patch.
- The latter is usually significantly slower.
- Patch releases will be made for the supported versions.
- After 14 days of the release, publish the corresponding advisory on GitHub Security Advisories.
Thank you for making open source community a better place!