This document explains how we maintain the security of the project and how you can help. Read it carefully before reporting vulnerabilities or relying on unsupported releases.
| Release Branch | Security Updates? |
|---|---|
| 5.1.x | ✅ Actively maintained |
| 5.0.x | ❌ End‑of‑life |
| 4.0.x | ✅ Long‑term support |
| < 4.0 | ❌ No longer supported |
Only the branches marked with a green check receive security patches. Running unsupported code is at your own risk.
- Contact us privately – Email JACOBCSMITHD@GMAIL.COM with the subject line
Vulnerability Report: <concise summary>. - Encrypt your message – Our PGP public key is located at
/SECURITY.pub. - Initial response – We acknowledge reports within 48 hours.
- Status updates – You will receive progress reports at least every 7 days until a fix or mitigation is released.
- Coordinated disclosure – Please keep the details confidential for 90 days or until a patch is published, whichever comes first.
- Recognition and rewards – Accepted reports are listed in
HALL_OF_FAME.md. Bounties are awarded based on severity and technical depth.
If a report is not accepted, we will explain the decision.
- Proof‑of‑concept only – Demonstrate the issue without harming data or systems.
- No production impact – Do not test against live infrastructure unless we explicitly approve it.
- Avoid social engineering – Focus on technical flaws, not people or physical facilities.
Thank you for helping us keep this project secure.