Please do not use public issues to report security vulnerabilities.

To report a vulnerability please select the security tab of the repo and click Report a vulnerability. This will create a private github issue that CoCo maintainers and security champions will be able to see.

The CoCo community aspires to follow the security best practices defined by OpenSSF, including responding to vulnerability reports within 14 days.

Please note that the CoCo community analyzes security issues only in the the most recent release.

CoCo has not released any long term supported versions yet.

Patches will not be backported to earlier versions.

Patches will be released as point versions of the current version, e.g. releasing 0.8.1 to correct v0.8, or will be patched in the next release, e.g. v0.9.

CoCo announces security issues and their fixes in the release notes of the patching version. For example, a vulnerability discovered in v0.8 and fixed in v0.8.1 will be announced in the release notes for v0.8.1.