The latest master branch is actively maintained and any security patches will be applied to that branch.

Older versions will not have patches back ported.

We recommend opening a security advisory on GitHub, as per the documentation.

Alternatively, reach out to the maintainers via discord (@skelmis).

We ask that anyone conducting testing:

• Makes every effort to avoid impacting other users of our systems
• Avoids any activities that disrupt, degrade or interrupt our services or may compromise other user data. This includes things such as spam, brute forcing, DoS, etc
• Keeps vulnerability information private until we have had the ability to roll out fixes

If you meet the expectations laid out, we commit to:

• Acknowledge any reports and keeping you informed of how we are tracking on fixes
• Acting in good faith when interacting with you
• Recognising your contribution via means such as security advisories on the affected services and/or CVE's

We will aim to fix any issues ASAP, however as we are not a dedicated resource this may not always be possible. As such, we aim for full resolution to all acknowledged issues within a 90-day period. If this is not possible, we will enter discussions with you as to the reason for delays.

At a minimum, your report should contain:

• The affected service
• A description of the vulnerability
• Complete reproduction steps

You may include other items to your report as you please. Some examples may be:

• The perceived impact
• The perceived likelihood of exploitation
• A list of users to credit for the disclosure