Only the latest version gets security updates and bug fixes!
For instance, at the time of writing, the current version was 19.1.0. This means that if I detect a security flaw today, it's going to be fixed in version 19.1.1. I will not backport it to version 19.0.x or 18.x.x!
If you detect a vulnerability, either
- open a bug ticket
- or drop an email to security at beyondjava dot de (replacing "at" and "dot" by the corresponding special characters).
In most cases, I will react within a day. However, this is a non-commercial project run by an individual, so there might be a delay because I'm offroad, ill, or something like that. Also note that "react" doesn't necessarily mean "solve". Security flaws can be convoluted, so all I can do is to aim at a fast reaction speed, but I can't promise it.