All versions of our software are supported by this policy. However only the most recent version is supported for vulnerability reporting on its repository and is eligible for fixes and new releases. If a vulnerability is found in older versions of the software, a vulnerability report should instead be made on dependant software, so that an update may be issued.
If a security vulnerability is discovered, we ask for a non-public disclosure. The repository "Issues" tracker is fully public. Security vulnerabilities can be privately disclosed on the repository's "Security" page (https://github.com/PretendoNetwork/NAME/security/advisories/new). Maintainers will be automatically notified and any non-notified, relevant, contributors will be made aware internally.
We understand the desire to publicly disclose security vulnerabilities following a non-public disclosure. We ask that you give us ample time to research the vulnerabilities, issue fixes, and update relevant software before this. Pretendo Network is maintained almost entirely on volunteer time, with a single full time developer. Thus communication may be slow, and we may need more than the typical amount of time to provide fixes.