We provide security updates for currently supported versions. In general, we provide security updates for all minor and patch versions of the latest major version.
| Version | Supported |
|---|---|
| 3.x | ✅ |
| < 3.0 | ❌ |
Note: Support policies for previous major versions may change when a new major version is released. Please refer to the release notes for details.
Important: If you discover a security vulnerability, do not open a public issue. Please use the private reporting method described below.
- Go to the "Security" tab of this repository
- Click the "Report a vulnerability" button
- Provide detailed information about the vulnerability
- This report is handled privately and is only visible to project maintainers
Including the following information will help us respond more quickly:
- Type and description of the vulnerability
- Steps to reproduce the vulnerability
- Potential impact
- Suggested fix (if any)
- Version where the vulnerability was found
- Acknowledgment: We will acknowledge receipt of your report within 48 hours.
- Initial Assessment: We will evaluate the severity and scope of the vulnerability.
- Fix: We will work on a fix if necessary.
- Patch Release: We will release a new version containing the fix.
- Public Disclosure: We will publish a public advisory at an appropriate time after the vulnerability has been resolved.
We appreciate those who report security vulnerabilities. If you wish, we can credit you as a contributor in the release notes.
We recommend following these security best practices when using Montage:
- Use the latest version: Always use the latest stable version.
- Update dependencies: Regularly update your dependencies.
- Code review: Perform code reviews before deploying to production.
- Principle of least privilege: Grant only the minimum necessary permissions.
You can receive notifications about security updates through the following methods:
- Subscribe to the repository using GitHub's "Watch" feature.
- Check GitHub Releases for new versions.
For general security-related inquiries that are not vulnerability reports (e.g., security best practices, configuration guidance), please open an issue.
Reminder: Security vulnerabilities must be reported privately through the Security tab, not via public issues.