Security updates will be released for all major versions that have had releases in the last year.

Please provide a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.

The easiest way to report a security issue is through GitHub's security advisory for this project. See Privately reporting a security vulnerability for instructions on reporting using GitHub's security advisory feature.

The shimmer GitHub admins will be notified of the issue and will work with you to determine whether the issue qualifies as a security issue and, if so, in which component. We will then figure out a fix, get a CVE assigned, and coordinate the release of the fix.

If you have a deadline for public disclosure, please let us know. Our vulnerability management team intends to respond within 3 working days of your report. This project aims to resolve all vulnerabilities within 90 days.