We take security VERY seriously. If there is any serious security flaw, a patch will be published within 48 hours.
Please do not open a GitHub issue or PR. Please write an E-Mail to [email protected]. After that a commit will be pushed silently into the code. 3 months after version reached EOL the exploit will be made public.
If you want you can send an encrypted E-Mail to Emil Engler. His PGP Fingerprint is: F365 E654 4A5C 9AB1 3293 42D4 2F6D 4145 C55F C7C7.
His PGP Key is available here