Security Policy

Supported Versions

We only support the latest version.

We are following CalVer with generous backwards-compatibility guarantees. Therefore we only support the latest version.

That said, you shouldn’t be afraid to upgrade if you’re only using our documented public APIs and pay attention to DeprecationWarnings. Whenever there is a need to break compatibility, it is announced in the changelog and raises a DeprecationWarning for a year (if possible) before it’s finally really broken.

Reporting a Vulnerability

If you think you found a vulnerability, please contact Hynek Schlawack at hs@ox.cx.

If you insist on using PGP, you can use the key 0xAE2536227F69F181. The fingerprint must be C2A0 4F86 ACE2 8ADC F817 DBB7 AE25 3622 7F69 F181. You can also find it on Keybase.