Currently security updates are supported for the latest ImageSwap release. We will review backporting security updates to older releases on a case by case basis.

If you discover a vulnerability in ImageSwap or any of the project's tooling, please alert us here.

Each report will be reviewed and receipt acknowledged within 3 business days. This will set off a security review process.

Any vulnerability information shared with the security team stays within the ImageSwap project and will not be shared with others unless it is necessary to fix the issue. Information is shared only on a need to know basis.

We ask that vulnerability reporter(s) act in good faith by not disclosing the issue to others. And we strive to act in good faith by acting swiftly, and by justly crediting the vulnerability reporter(s) in writing.

As the security issue moves through triage, identification, and release the reporter of the security vulnerability will be notified. Additional questions about the vulnerability may also be asked of the reporter.

A public disclosure of security vulnerabilities is released alongside release updates or details that fix the vulnerability. We try to fully disclose vulnerabilities once a mitigation strategy is available. Our goal is to perform a release and public disclosure quickly and in a timetable that works well for users. For example, a release may be ready on a Friday but for the sake of users may be delayed to a Monday.