Please report security vulnerabilities by sending email to lgl@island-resort.com. Please include "QCBOR SECURITY" in the subject line.
In most cases the vulnerability should not be reported by filing an issue in GitHub as this will publically disclose the issue before a fix is available.
Laurence Lundblade maintains this code and will respond in a day or two with an initial evaluation.
Security fixes will be prioritized over other work.
Vulnerabilities will be fixed promptly, but some may be more complex than others and take longer. If the fix is quick, it will usually be turned around in a few days.
When the fix has been created, it will be privately verified with the party that reported it. Only after the fix has been verified and the reporter has had a chance to integrate the fix, will it be made available as a public commit in GitHub.
If the reporter doesn't respond or can't integrate the fix, it will be made public after 30 days.