GPAC is under constant development using a continuous integration and deployment process. As a consequence the HEAD of the master branch is always considered as the current version at any point.
Thus only reports that are confirmed reproducible on the current HEAD of the master branch will receive a patch.
Vulnerabilities (as well as other bugs) should be reported directly using the Github issue tracker.
Corner cases which do not lead to some security concerns are not considered as part as our security policy. For example isolated overflows generated by fuzzers and reported by ASAN and not leading to a crash are excluded.
Please include all information needed to reproduce the issue, including a sample file.
Sample files can be joined directly via github (preferred way) or uploaded to the GPAC file drop.
However if public disclosure seems unreasonable, or if confidential information needs to be shared, you can contact security@gpac.io for private disclosure.