We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:

Please report security vulnerabilities through GitHub's Security Advisory feature at https://github.com/humanjavaenterprises/nostr-websocket-utils/security/advisories/new. You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.

When we receive a security bug report, we will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:

• Confirm the problem and determine the affected versions.
• Audit code to find any potential similar problems.
• Prepare fixes for all still-supported versions of nostr-websocket-utils.
• Release new versions of all affected versions.
• Prominently announce the problem on our blog and mailing list.

If you have suggestions on how this process could be improved please submit a pull request.