Our release cycle for new features (minor semver update) is roughly every four weeks (we will usually make a new release after each sprint review).
| Version | Security Fixes* | Supported** |
|---|---|---|
| 5.x.x | ✅ | ✅ |
| 4.16.x | Critical issues only | ❌ |
| <= 3.15.x | ❌ | ❌ |
Upcoming major updates will come with a time window in which both major versions (starting with v2.x.x) will receive security updates and bugfixes. The concrete support interval will probably be a couple of months and will be published when the next major version is released.
We currently plan to provide support for the latest minor semver release only.
We try to make bugfixes and high severity fixes available as patch release for the current minor release as early as possible.
If you are interested in extended support for older versions with security updates of our project please get in touch with the project team via Slack or email [email protected].
You have found a vulnerability in the project that shouldn't be disclosed as a public issue before it's fixed? Please report it using GitHub Security Advisories at https://github.com/secureCodeBox/secureCodeBox/security/advisories.
If you are unable to use GitHub advisories, please email the project leaders at their OWASP email addresses that can be found under https://github.com/OWASP/www-project-securecodebox/blob/master/leaders.md.
You can expect a fast reaction within the next few days. We will keep you updated about the next steps and inform you if the vulnerability is accepted and when it's fixed or if it's declined somehow.