If you think that you have found a security issue, don’t use the bug tracker and don’t publish it publicly. Instead, all security issues must be reported via a private vulnerability report.
Every submitted security issue is handled with top priority by following these steps:
- Confirm the vulnerability
- Determine the severity
- Contact reporter
- Work on a patch
- Get a CVE identification number (may be done by the reporter or a security service provider)
- Patch reviewing
- Tagging a new release for supported versions
- Publish security announcement