This policy has yet to ever be needed, so I'll keep it brief
There's rarely any reason to use an older version of the tool/library since its compatibility with other software has never changed. In future though, the final version with VS2017 support may receive critical severity backported updates.
- Please disclose security issues directly and privately to Graham Helliwell grahamthecoder@gmail.com and cc Christoph Wille christoph.wille@gmail.com
- You can usually expect some kind of response within 5-10 working days.
- Ideally the issue should be fixed on a temporary private fork and released before any details are made public to minimize the window for exploitation.