The latest release of qTox is supported. Any security fix will be added to a new version on top of it.
Please report vulnerabilities by Tox to
anthonybilinski
and sudden6.
If that's not an option, please email me@abilinski with GPG fingerprint 7EB3 39FE 8817 47E7 01B7 D472 EBE3 6E66 A842 9B99
and sudden6@gmx.at with GPG fingerprint DA26 2CC9 3C0E 1E52 5AD2 1C85 9677 5D45 4B8E BF44
.
We should get back to you within a week. If the vulnerability is qTox specific and accepted, there should be a new release addressing the vulnerability within a couple of weeks. If we disagree with the vulnerability analysis, we will answer explaining our reasoning.
If the vulnerability is related to a dependency of qTox, we will follow the disclosure policy of that project. If a fix from the project isn't imminent and it's possible, we will mitigate the issue in qTox.