Security-related reports are considered for official numbered releases starting with v3.5. However, issues that do not affect the current Stable or Beta series are unlikely to be fixed. Please see http://www.squid-cache.org/Versions/ for the list of releases that belong to the current series.
Reports about security issues in the Development series are welcomed. However, development series contains experimental code that does not qualify for CVE allocation.
To report security-sensitive bugs, please post to the squid-bugs mailing (list)[http://www.squid-cache.org/Support/mailing-lists.html#squid-bugs]. It is a closed list (although anyone can post), and security related bug reports are treated in confidence at least until the impact has been established.
The security team strives to manually acknowledge each new report within 48 hours. Please feel free to email a reminder if you have not heard from us within that time frame.
As a last resort (e.g., if the squid-bugs contact point appears to be broken), contact the release maintainer directly. The maintainer is on the security team but may not be able to respond promptly.
Reporters wishing to encrypt their vulnerability reports can request GPG public keys from the security team members via the squid-bugs mailing list. Please note that encrypting reports may slow down their handling and is unlikely to improve the overall security of the process.