Security fixes are made for the latest released Ack version. Users should upgrade to the newest compatible release before reporting a problem or asking for a backport. Older release lines may receive fixes at the maintainers' discretion.
Do not report a suspected vulnerability in a public GitHub issue.
Contact the repository owner privately through the contact methods on their GitHub profile. Include:
- the affected package and version;
- a clear description of the impact;
- steps or a minimal program that reproduces the issue;
- any known workarounds; and
- whether the report or exploit details have been shared elsewhere.
If no private contact method is available, open an issue that requests a private security contact without including vulnerability details.
Please allow maintainers time to confirm the report and coordinate a fix before public disclosure. If the report is accepted, the project will credit the reporter unless they prefer to remain anonymous.
Security reports should describe a concrete confidentiality, integrity, or availability impact. General bugs, unexpected validation results, and feature requests belong in the public issue tracker.