This document explains which versions of imgsrv receive security updates and
how to report vulnerabilities privately.
imgsrv does not have a supported production release line yet. Until releases
exist, security fixes are handled on the default branch.
Report vulnerabilities privately through GitHub private vulnerability reporting.
Do not use public GitHub issues, pull requests, discussions, chat channels, or other public forums for vulnerability reports.
When reporting a vulnerability, include as much of the following as possible:
- affected version, commit, or deployment identifier
- a description of the issue and the security impact
- steps to reproduce or a minimal proof of concept
- any relevant logs, screenshots, or traces
- any suggested mitigations or fixes, if available
No public disclosure timeline is defined yet. Coordinate disclosure privately in the GitHub advisory thread until a release process exists.