We currently provide security updates for the latest tagged release of Augur.

Older versions are not actively supported. In exceptional circumstances, maintainers may choose to backport fixes on a case-by-case basis.

IMPORTANT: Do not report security vulnerabilities using public GitHub Issues or public discussions.

If you discover a security vulnerability in Augur, please report it privately by opening a New Private Vulnerability Report. Please fill out the provided advisory template to ensure we have all the details (Impact, Reproduction Steps, and Affected Versions) needed to investigate.

We do our best to follow responsible disclosure practices:

• Credit: We will acknowledge your discovery in security release notes (unless you prefer anonymity)
• Coordination: We will work with you to coordinate the disclosure and release timeline based on our capacity to resolve the issue
• Communication: We aim to remain communicative and keep your ticket updated with the status so you know what to expect
• No Public Issues: Please avoid creating public GitHub issues pull requests, branches, or forks for developing fixes to security vulnerabilities unless told otherwise. All of these can leak the existence of the vulnerability before it is fully fixed.

Thank you for helping keep Augur secure!