Contact: security@tawesoft.co.uk
It is our policy to publicly announce security issues and fixes through the GitHub "Security Advisories" feature for this repository.
To subscribe, configure your watch settings and tick either "All Activity" or select "custom" and tick "security alerts".
On a case-by-case basis, we are prepared to pre-announce security issues and fixes to any downstream consumer of this repository who can provide evidence that any security issues would have a particularly high impact on their services. Email security@tawesoft.co.uk to discuss this.
Applicable security fixes will always be backported to all packages, where possible.
Security fixes may break backwards compatibility, even between minor versions, if necessary.
Please disclose responsibly so that we can notify the users of our software with a fix and/or instructions, including a pre-announcement where appropriate.
Please do not report security issues through the public issue tracker in the first instance, unless the vulnerability is being actively exploited in the wild or is already public knowledge. Please use the option to securely report a vulnerability through GitHub at the top of this page. Alternatively, please email us at security@tawesoft.co.uk and if necessary we can make other arrangements with you for secure disclosure.
If you don't receive an acknowledgement of your report within 48 hours, and you believe that urgent action is required, then please contact us through any contact method listed on the Tawesoft website.
If we have not fixed or disclosed a vulnerability within 90 days of being notified, then we respect your right to disclose it publicly.