This document outlines security procedures and general policies for Chafa.

We are grateful for the testing and analysis carried out by the community. All bug reports are taken seriously.

Normally, bugs can be filed directly in the public GitHub issue tracker, but if you believe there is a security impact, please contact the lead maintainer at his e-mail address hpj@hpjansson.org instead.

We will most likely respond within 48 hours, but since Chafa is a volunteer project, please allow up to a week for those rare times we're away from the keyboard or general connectivity.

When a fix is published, you will receive credit under your real name or bug tracker handle in the NEWS document and possibly elsewhere (GitHub, blog post, etc). If you prefer to remain anonymous or pseudonymous, you should mention this in your e-mail.

The maintainer will coordinate the fix and release process, involving the following steps:

• Confirm the problem and determine the affected versions.
• Audit code to find any potential similar problems.
• Prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible.

You may be asked to provide further information in pursuit of a fix.

If you have suggestions on how this process could be improved, please submit an issue or pull request.