# Security Policy

## Reporting a Vulnerability

**Please do not use GitHub issues for security-sensitive communication.**

The LibreTime maintainers ask that known and suspected vulnerabilities to be privately and responsibly disclosed by:

- sending all the required detail to [security@libretime.org](security@libretime.org),
- or by filling a [security advisory on Github](https://github.com/libretime/libretime/security/advisories/new).

A LibreTime maintainer will acknowledged the report within 3 working days.

We aim to provide a security patch within 30 days, after this period the report will be disclosed to the public. The security patch will be distributed for the [maintained versions of LibreTime](https://libretime.org/docs/developer-manual/development/releases/#distributions-releases-support).