We release patches for security vulnerabilities for the following versions:

We take security seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to eduardo@aguilar-pelaez.co.uk.

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Please include the following information in your report:

• Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• A confirmation email within 48 hours
• A CVE identifier if applicable
• An invitation to submit a pull request to fix the vulnerability
• Credit in the release notes and security advisory

We support safe harbor for security researchers who:

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
• Only interact with accounts you own or with explicit permission of the account holder
• Provide us with a reasonable amount of time to resolve vulnerabilities prior to any disclosure to the public or a third-party

We will not take legal action against you or administrative action against your account if you act according to this policy.