Security Policy
Supported Versions
| Version | Supported |
|---|
| 3.3.x | :white_check_mark: |
| 2.1.x | :white_check_mark: |
| < 2.1.1 | :x: |
Reporting a Vulnerability
DO NOT create a public GitHub issue for security vulnerabilities. Instead, please report it via the following channels:
- Email: bcollins@libjwt.io (Encrypted PGP preferred)
- GitHub Private Report: Use the “Private Security Report” feature on this repository.
What to Include
- Description of the vulnerability.
- Steps to reproduce the issue.
- Impact assessment (e.g., “Creates weak tokens”).
- Suggested fix (optional).
Response Timeline
- Acknowledgement: Within 48 hours.
- Resolution: Within 7 days for critical issues.
- Disclosure: Public advisory after the fix is released.