We generally support fixing security issues in all sensible releases. We may decide not to fix them in very old releases, though.
If you’ve found a security issue in one of our packages, please send
us an email to development [at] orca.ch instead of using the normal
bug reporting system or any other form of notification.
Once we receive a vulnerability report, we first confirm to the reporter that we simply received the report.
Next, for each report, we try to confirm the vulnerability. Once confirmed, we will do the following:
- Acknowledge to the reporter that we’ve confirmed the issue, and are working on a fix. We ask the reporter to keep the issue confidential until we announce a solution.
- Get a fix/patch or workaround/guidance prepared.
- Release new versions of all affected versions, if applicable.
- Prominently feature the problem in the release description, if applicable.