Your security is very important to us. We believe in the benefits of open source and also in strong security; this document provides guidelines for how to report and handle vulnerabilities.
We provide security updates only for the most recent version of our project, and the prior major release. Older releases are not supported with security updates. Please ensure you're using one of the supported version ranges to receive security updates:
Version | Supported |
---|
If you discover a security vulnerability, please refrain from creating a public issue on GitHub. Instead, please create a new issue and use the label "security" to tag it. This gives us a chance to fix the issue and create an official release prior to the issue becoming public.
When reporting a vulnerability, please provide the following information:
- Detailed description of the vulnerability
- Steps to reproduce the issue
- Any known impact
- Any possible solutions or mitigations
We will review the issue in the most timely manner possible and strive to communicate regularly about the status of the vulnerability, such as whether it's accepted, fixed, or declined.
When a reported vulnerability has been addressed, we will create a security patch release and add a post to our website detailing the issue and the solution, without exposing sensitive information or any details that could lead to exploitation of the vulnerability.