We follow the WordPress Core style of versioning rather than traditional SemVer. This means that a move from version 3.9 to 4.0 is no different from a move from version 3.8 to 3.9. When a PATCH version is released it represents a bug fix, or non-code, only change.
The latest version released is the only version that will receive security updates, generally as a PATCH release unless a security issue requires a functionality change in which requires a minor/major version bump.
For security reasons, the following are acceptable options for reporting all security issues.
- Via Keybase secure message to timnolte or daggerhart.
- Send a DM via the WordPress Slack to
tnolte. - Via a private security advisory notice.
Please disclose responsibly and not via public GitHub Issues (which allows for exploiting issues in the wild before the patch is released).