Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| 5.1.x | ✅ |
| 5.0.x | ❌ |
| 4.0.x | ✅ |
| < 4.0 | ❌ |
If you discover a security vulnerability in this project, please report it to us privately as soon as possible. We appreciate your help in keeping the project secure.
Please do not create a public GitHub issue for security problems.
Send an email to security@yourproject.org (or your dedicated security contact) with the following details:
- Description of the vulnerability
- Steps to reproduce the issue
- Affected versions
- Potential impact (e.g., data leak, RCE, etc.)
- Any suggested fixes or mitigations (optional but very helpful)
We will acknowledge your report within 48 hours (or 72 hours) and provide an estimated timeline for a fix.
- We will investigate and confirm the vulnerability.
- We will work on a fix (and may ask you for more information).
- Once the fix is ready, we will release a security patch.
- We will publicly thank you (unless you prefer to stay anonymous) in the release notes or changelog.
- We follow responsible disclosure: we will not publicly disclose the vulnerability until a fix is available and users have had reasonable time to upgrade.
- We aim to fix critical vulnerabilities within 7–14 days and high-severity ones within 30 days, depending on complexity.
- Security fixes will be released as soon as possible, often as a new patch/minor version.
- We release security advisories via GitHub Security Advisories.
- You can also follow our releases and the CHANGELOG.md for security-related entries.
- We strongly recommend keeping your project dependencies up to date.
If you have suggestions to improve this security policy, feel free to open a pull request or contact the maintainers.
This policy is based on common open-source practices and GitHub's security template.