The only supported version is the latest major version. Security fixes are not backported to earlier releases.

If you find a vulnerability in Spoon, please disclose it by email to any of the integrators listed in CONTRIBUTING.md.

If you have the capability to do so, we appreciate if the email body is encrypted. You can get the GPG key of a contributor with the gpg --recv-keys <key_id/fingerprint> command. Integrator key fingerprints are listed alongside email addresses in the CONTRIBUTING.md file.