These jte versions are currently being supported with security updates.

If you believe that you have found a vulnerability in jte, first please search the GitHub issues list (for both open and closed issues) to see if it has already been reported.

If it has not, then please create a private security advisory. Please do not report any suspected vulnerabilities via GitHub issues as we wish to keep our users secure while a patch is implemented and deployed. This is because if this is reported as a GitHub issue, it more or less is equivalent to dropping a 0-day on all applications using jte. Instead, we encourage responsible disclosure.

If you wish to be acknowledged for finding the vulnerability, then please follow this process. We will try to contact you within at least 5 business days. If you eventually wish to have it published as a CVE, we will also work with you to ensure that you are given proper credit with MITRE and NIST. Even if you do not wish to report the vulnerability as a CVE, we will acknowledge you in the patch notes as well as acknowledging you in any security bulletin that we may write up and use to notify our users. (If you wish to have your identity remain unknown, we can work with you on that as well.)

If possible, provide a working proof-of-concept or at least minimally describe how it can be exploited in sufficient details that we can understand what needs to be done to fix it. Unfortunately at this time, we are not in a position to pay out bug bounties for vulnerabilities.