If you think you've found a potential vulnerability in OpenEXR, please report it by emailing security@openexr.com. Only TSC members and ASWF project management have access to these messages. Include detailed steps to reproduce the issue, and any other information that could aid an investigation. Our policy is to respond to vulernability reports within 14 days.

Our policy is to address critical security vulnerabilities rapidly and post patches as quickly as possible.

See the release notes for a listing of known CVEs and the releases in which they have been addressed.