No released versions of Kepler will receive regular security updates until a SemVer major release has been performed - e.g v1.0.0. A reported and fixed vulnerability will be included in the next SemVer minor or patch release which depending on the severity of the vulnerability may be immediately after the fix is merged.

To report a vulnerability, please use the Private Vulnerability Reporting Feature on GitHub. We will endeavour to respond within 48hrs of reporting. If a vulnerability is reported but considered low priority it may be converted into an issue and handled on the public issue tracker. Should a vulnerability be considered severe we will endeavour to patch it within 48hrs of acceptance. You may be asked to provide a proof of concept or steps to reproduce the vulnerability and invited to collaborate with us on a temporary private fork of the repository to verify the fix.