The following versions are supported:

• the latest tagged stable version
• the latest snapshot of the production branch
• the latest snapshot of the master branch

We welcome security reports for any supported version, and we will address them promptly.

If the vulnerability has low priority and is not directly exploitable (such as missing defensive code), please open an issue, and use the label security. For all other vulnerabilities, please send an email to [email protected] and include the word "security" in the subject. Please include the affected version, any details to reproduce the problem, and whether an exploit is possible.

We strive to triage all vulnerabilities promptly, and you should receive an update with a timeline shortly after your report. If the vulnerability is confirmed, it will receive a CVE identifier as soon as it is issued. Vulnerabilities in the production branch will be given additional priority.