With Yaws, we strive to keep releases compatible with previous versions. For this reason, we do not patch old releases, but instead encourage users to update to the latest version to obtain security updates.

To report a vulnerability, please do not create a public Yaws issue. Instead, email the lead Yaws developer vinoski [at] ieee [dot] org and you'll get an acknowledgement within 48 hours. Please include as much detail as possible, and if possible also include instructions for how to duplicate the problem. We will then work with you to understand the vulnerability so we can patch it and make fixes available in a new Yaws release.

If you have suggestions on how this process could be improved, please submit a pull request.