See the README for supported versions.

If you find a vulnerability in this library, please report it. You can use my private email address found on my Contact page as well as in my security.txt file.

Please do not disclose the vulnerability publicly until a fix is released!

I try to loosely follow the Coordinated Vulnerability Disclosure policy. I will confirm the receipt of the report, then check and evaluate the vulnerability as soon as I can and, if necessary, release a fix or a mitigation. I'll then reach out to let you know the result, and will credit you in the report.

Once I have either published a fix, or declined to address the vulnerability for whatever reason, you are free to publicly disclose it. If that doesn't happen in 90 days after acknowledging the vulnerability, you're also free to disclose it, unless we'll agree on something else.