We provide security fixes for the latest stable release and active LTS branches.
| Version | Supported |
|---|---|
| 1.x | ✅ |
| <1.0 | ❌ |
Do not open public issues for security problems.
Use GitHub Private Vulnerability Reporting:
Repository → Security tab → Report a vulnerability.
This creates a private discussion between you and the maintainers.
Public disclosure is only made after a fix is released.
- Acknowledge within 10 business days
- Triage and assign severity
- Develop and test a fix
- Coordinate release and disclosure timing
- Credit given to the reporter unless anonymity is requested
- Clickjacking on non-sensitive pages
- Self-XSS requiring pasting code into console
- Vulnerabilities needing physical access