My recent and upcoming projects use semantic versioning.
Within the same MAJOR version, only the most recent MINOR version MAY be supported with security updates.
-
The most recent MAJOR version SHALL be supported indefinitely.
-
The previous MAJOR version:
- SHALL be supported for at least 6 (six) months;
- MAY be supported for up to 24 (twenty-four) months;
since the release of the current MAJOR version.
-
The less recent MAJOR versions SHALL NOT be supported.
The current version is 3.1.4, and a vulneravility is found. It also applies to most recent MINOR versions 2.7.1 and 1.y.z. A PATCH 3.1.5 for the current version will be released. No PATCH for 3.0.z will be released. No PATCH for 1.y.z will be released.
- If 3.0 was released at most half a year ago, version 2 will get a security PATCH 2.7.2.
- If 3.0 was released at most two years ago, version 2 may get a security PATCH. I will take the dependants of 2.y.z in the consideration.
- If 3.0 was released over two years ago, version 2 will not get a security PATCH.
Contact me at [email protected]. Use the bug report issue form as a template for your letter.
- If I accept your report, an appropriate security PATCH version SHALL be released within 1 (one) month. If I do not release a security PATCH within this period, you MAY disclose the vulnerability publicly in issues.
- If I decline your report, then it will not be addressed. You MAY disclose the supposed vulnerability publicly in issues to notify the dependants of old MAJOR versions.
- If I don't get back to you within 1 (one) month of you report, you MAY disclose the vulnerability publicly in issues.
Whenever publicly disclosing a vulnerability, make sure to consider all the implications, both for your projects and other dependants.