We release patches for security vulnerabilities. Which versions are eligible receiving such patches depend on the CVSS v3.0 Rating:

Please report (suspected) security vulnerabilities to our bug bounty program. You will receive a response from us within 2 working days. If the issue is confirmed, we will release a patch as soon as possible depending on impact and complexity.

Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program.

We generally aren't interested in the following issues:

• Social engineering (e.g. phishing, vishing, smishing) attacks
• Brute force, DoS, text injection
• Missing best practices such as HTTP security headers (CSP, X-XSS, etc.), email (SPF/DKIM/DMARC records), SSL/TLS configuration.
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Clickjacking on pages with no sensitive actions
• Theoretical vulnerabilities where you can't demonstrate a significant security impact with a proof of concept.