# Security Policy

## Supported Versions

We follow the [WordPress Core style of versioning](https://make.wordpress.org/core/handbook/about/release-cycle/version-numbering/) rather than traditional [SemVer](https://semver.org/). This means that a move from version 3.9 to 4.0 is no different from a move from version 3.8 to 3.9. When a **PATCH** version is released it represents a bug fix, or non-code, only change.

The latest version released is the only version that will receive security updates, generally as a **PATCH** release unless a security issue requires a functionality change in which requires a minor/major version bump.

## Reporting a Vulnerability

For security reasons, the following are acceptable options for reporting all security issues.

1. Via Keybase secure message to [timnolte](https://keybase.io/timnolte/chat) or [daggerhart](https://keybase.io/daggerhart/chat).
2. Send a DM via the [WordPress Slack](https://make.wordpress.org/chat/) to `tnolte`.
3. Via a private [security advisory](https://github.com/oidc-wp/openid-connect-generic/security/advisories) notice.

Please disclose responsibly and not via public GitHub Issues (which allows for exploiting issues in the wild before the patch is released).