# Security Policy

## Supported Versions

No released versions of aya or its subprojects will receive regular security
updates until a mainline release has been performed.
A reported and fixed vulnerability will be included in the next minor release,
which depending on the severity of the vulnerability may be immediate.

## Reporting a Vulnerability

To report a vulnerability, please use the
[Private Vulnerability Reporting Feature] on GitHub. We will endevour to respond
within 48hrs of reporting.

If a vulnerability is reported but considered low priority it may be converted
into an issue and handled on the public issue tracker.

Should a vulnerability be considered severe we will endeavour to patch it within
48hrs of acceptance, and may ask for you to collaborate with us on a temporary
private fork of the repository.

[Private Vulnerability Reporting Feature]: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability