All latest MAJOR
(taking version number x.y.z
as MAJOR.Minor.patch
) versions are candidates, and will benefit
from a best effort policy to fix any issue.
That noted, there is still some appreciation when it comes to the amount of effort dedicated to the latest version in comparison to a largely obsolete one.
You can email me directly at tristandeloche_at_gmail.com
where I will reply as soon as can be done.
Just try to make it clear in the object of the email that this is about a security vulnerability.
We will then take the following course of action:
- Assess the vulnerability
- Discuss whether and when to disclose it (ideally as soon as possible, which this preferrably happening after the fix is out)
- If it cannot be patched quickly (as it is due to an underlying dependency without update available yet),
responsible disclosure will be done in the form of a warning section in the parent
README
with an associated issue linked to the upstream issue.
During this whole process you can expect me to try as much as possible to keep you up to date.