The Serenity BDD project actively maintains the most recent major and minor versions of the Serenity core libraries.
Security fixes are generally applied to:

• The latest released version
• The previous minor release (when feasible)

Older versions may not receive security patches. Users are encouraged to stay up to date with the latest release.

If you discover a security vulnerability in Serenity BDD, please do not create a public GitHub issue.

Instead, report it securely via the Tidelift coordinated disclosure process:

👉 https://tidelift.com/security

Tidelift will work with the project maintainers to:

• Review the report
• Coordinate the fix
• Manage a responsible disclosure process

This ensures that security issues are handled quickly, safely, and in a way that protects the wider ecosystem.

To help us assess your report efficiently, please include (when possible):

• A clear description of the vulnerability
• Steps to reproduce
• Expected vs actual behavior
• Versions of Serenity BDD and relevant dependencies
• Any suggested mitigations or patches

We appreciate all responsible security research.

When a vulnerability is confirmed:

1. A fix will be developed privately.
2. A patched release will be published to Maven Central.
3. A security advisory will be issued (via GitHub Security Advisories and/or Tidelift).
4. Users will be encouraged to upgrade.