The latest master branch is actively maintained and any security patches will be applied to that branch.
Older versions will not have patches back ported.
We recommend opening a security advisory on GitHub, as per the documentation.
Alternatively, reach out to the maintainers via discord (@skelmis).
We ask that anyone conducting testing:
- Makes every effort to avoid impacting other users of our systems
- Avoids any activities that disrupt, degrade or interrupt our services or may compromise other user data. This includes things such as spam, brute forcing, DoS, etc
- Keeps vulnerability information private until we have had the ability to roll out fixes
If you meet the expectations laid out, we commit to:
- Acknowledge any reports and keeping you informed of how we are tracking on fixes
- Acting in good faith when interacting with you
- Recognising your contribution via means such as security advisories on the affected services and/or CVE's
We will aim to fix any issues ASAP, however as we are not a dedicated resource this may not always be possible. As such, we aim for full resolution to all acknowledged issues within a 90-day period. If this is not possible, we will enter discussions with you as to the reason for delays.
At a minimum, your report should contain:
- The affected service
- A description of the vulnerability
- Complete reproduction steps
You may include other items to your report as you please. Some examples may be:
- The perceived impact
- The perceived likelihood of exploitation
- A list of users to credit for the disclosure