Please focus your analysis on the latest version of the library.
If the project maintainers deem the issue to be particularly significant, a patch may be backported to some previous versions.
Please privately report any vulnerabilities as a Github Security Advisory.
We will acknowledge the report within a week and begin investigating.
Our vulnerability disclosure guidelines are similar to Google's Project Zero rules.
Once you report a vulnerability, we have 90 days to make a patch available for users. Once a patch is released, you may publicly disclose the vulnerability details after 30 more days (so users have time to upgrade). If we do not release a patch within this period, you can publicly disclose the details of the vulnerability without further delay.
If the vulnerability is shown to be already exploited "in the wild," the 90-day period is replaced by a 10-day period. However, the 30 additional days before public disclosure still apply, if we are able to publish a patch within the period.
Lastly, early disclosure is permitted only if mutually agreed upon by the issue reporter and the project maintainers.