# SECURITY POLICY

## Supported Versions

When a new **minor** version (`5.x`) is released, the previous one will continue to receive security and bug fixes for *at least* 3 months.

When a new **major** version is released (`4.0`, `5.0`, etc), the previous one will receive bug fixes for *at least* 3 months and security updates for 6 months after that new release comes out.

(This policy may change in the future and exceptions may be made on a case-by-case basis.)

## Reporting a Vulnerability

If you discover a security vulnerability within this package, please use the [Tidelift security contact form](https://tidelift.com/security) or email Colin O'Dell at <colinodell@gmail.com>. All security vulnerabilities will be promptly addressed. Please do not disclose security-related issues publicly until a fix has been announced.