We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:

The miko-manifest team and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

To report a security issue, please use the GitHub Security Advisory "Report a Vulnerability" tab.

The miko-manifest team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

1. Report Reception: Security reports are received and assigned to a primary handler.
2. Confirmation: The problem is confirmed and a list of all affected versions is determined.
3. Fix Development: Code is audited to find any potential similar problems.
4. Fix Release: A new release is prepared with the fix.
5. Disclosure: The vulnerability is disclosed publicly after the fix is released.

If you have suggestions on how this process could be improved, please submit a pull request.