If you discover a security vulnerability, please report it to us by opening a draft security advisory.

If you prefer to make a confidential disclosure, please open a blank issue and use it to make security contact request. Be sure to include your contact details so that we can follow up with you privately.

We take all security vulnerabilities seriously and will endeavour to address them promptly.

If a security vulnerability is reported or discovered, we will endeavor to publish fixes as patches to both the current release series and its immediate predecessor. For example, if the current release is 3.3.3 and the predecessor is 3.2.3, we would release versions 3.3.4 and 3.2.4.

We will notify users of security updates through our standard project communication channels.