The latest minor release tag is supported with security updates.
Please send the details of any vulnerability found to choopm.
You should encrypt your message if possible.
Do not simply post a vulnerability as issue. These will be deleted.
After verifying the vulnerability there will be a new release within 7 days usually.
We will always stay in contact during the development of a fix and will atleast notify you that we received your disclosure.
We ask you to not share any details with 3rd parties within the 7 days embargo or exact time we tell you.
All vulnerabilities will be posted and made public at some point after the fix has been propagated. The exact time depends on the type of vulnerability and it's potential consequences.