Eclipse Hono follows the Eclipse Vulnerability Reporting Policy. Vulnerabilities are tracked by the Eclipse security team, in cooperation with the Hono project lead. Fixing vulnerabilities is taken care of by the Hono project committers, with assistance and guidance of the security team.
Eclipse Hono provides security updates for the two most recent minor versions.
Note that this means that in case of a new major version being released, older releases of the previous major version will no longer be supported. For example, assuming that versions 1.12.x and 1.11.x are the two most recent minor versions, then version 1.11.x will no longer be supported once any of version 2.0.0 or version 1.13.0 has been released.
We recommend that in case of suspected vulnerabilities you do not create a GitHub issue, but instead contact the Eclipse Security Team directly sending an email to security@eclipse.org.