Security vulnerabilities should be disclosed to the project maintainers through our public immutable bug bounty program or email us at [email protected].

Security vulnerabilities will be patched as soon as responsibly possible, and published as an advisory on this repository.

Please see Releases. We recommend using the most recently released version.

Security patches will be released for the latest minor of a given major release. For example, if an issue is found in versions >=1.1.0 and the latest is 1.8.0, the patch will be released only in version 1.8.1.

Only critical severity bug fixes will be backported to past major releases.