This document describes how security vulnerabilities in this project should be reported.

Support for neqo is based on the Firefox version in which it has landed. Versions of neqo in current versions of Firefox are actively supported.

The version of neqo that is active can be found in the Firefox repositories:

• release,
• beta, and
• trunk/central,
• ESR 115.

The listed version in these files corresponds to tags on this repository. Releases do not always correspond to a branch.

We welcome reports of security vulnerabilities in any of these released versions or the latest code on the main branch.

To report a security problem with neqo, create a bug in Mozilla's Bugzilla instance in the Core :: Networking component.

IMPORTANT: For security issues, please make sure that you check the box labelled "Many users could be harmed by this security problem". We advise that you check this option for anything that involves anything security-relevant, including memory safety, crashes, race conditions, and handling of confidential information.

Review Mozilla's guides on bug reporting before you open a bug.

Mozilla operates a bug bounty program, for which this project is eligible.