To report a (potential or confirmed) security issue, please email [email protected] with a description of the issue, steps to reproduce it, affected versions, and if known, mitigations for the issue.
Since this is a small project, there's no list of supported versions. I will attempt to reply to reports within a working week, and to fix and disclose vulnerabilities within 90 days, but this is not a guarantee.
Optionally, you can encrypt the email with my GPG key, see for details https://k1024.org/contact/.
Alternatively, you can use the GitHub "Private vulnerability reporting" functionality (but note this is beta).