Quality-time has not been hardened yet. We advise against running Quality-time internet-facing or in an otherwise untrusted environment.
Starting with release v4.6.0-rc.4, an SBOM is generated for each release. The GitHub Actions release workflow creates an Software Bill of Materials (SBOM) for the release, which can be found under the "Artifacts" header of the workflow run.
Only the latest version of Quality-time is currently being supported with security updates.
Please report security vulnerabilities by email to the Quality-time team at quality-time@ictu.nl. The aim is to get back to you within 24 hours with a confirmation of the issue and a brief action plan or a request for more information.