Please see the VERSIONS.md file for a list of supported versions and information about our support policies.

Please send us an email at [email protected] with your vulnerability report. We will aim to respond within 1 working day with our response to your vulnerability report (which will be one of rejected, needs internal review, further information required, or accepted). In extreme cases, please allow us up to 30 days to review your report - which is what we would consider the responsible disclosure period.

If the vulnerability is accepted or requires review, we will keep in touch with you regarding the status and/or details of the fix (except where security or other unforeseen reasons prevent us from doing so - at which point we will inform you as such.)

If we reply indicating that the status is further information required, we were either unable to understand your report, or further information was needed to understand what the issue was, or how to fix it.

Otherwise, we will inform you that the report has been rejected, at which point you are free to publicly report the vulnerability on this repository or elsewhere.