The current version
If you identify a security vulnerability, please notify us via Github private vulnerability reporting. We request that you keep your findings confidential for 45 days from the date of notification to us. In return, we commit to responding to your disclosure promptly and making appropriate patches as soon as we can. Although we do not have the resources to pay large bug bounties, we will credit you on our website (if you wish) and possibly send you a small token of thanks (such as a t-shirt).