This document outlines security procedures and general policies for the stump project.

Non-security bugs can be reported through the normal issue tracker, but please make sure to follow the issue template and provide as much information as possible to help us understand and reproduce the issue.

If you have a security issue to report that would be inappropriate or potentially dangerous to report through the normal issue tracker (e.g., if it might alert potential attackers to a vulnerability before it can be fixed), please report it privately by emailing me directly at oromei@proton.me. I will try my best to respond within a reasonable timeframe, but please understand that I build Stump in my spare time and may not be able to respond immediately.

Generally speaking, I try to only officially support the latest release. It isn't feasible for me to support multiple versions of Stump at a time, especially when considering the complex verison matrix between the server and client apps.

I will provide support for older versions if a patch can be easily backported, but I won't make any promises. If you are running an older version of Stump, please try to update to the latest version to ensure you have the latest security patches and features.

If you are running experimental versions of Stump, e.g. nightly builds, please be aware that these versions may be less stable and more likely to contain bugs or security vulnerabilities. Use them at your own risk, and please report any issues you encounter.