If you believe you have discovered a vulnerability in EspoCRM please contacts us via this or this forms.

For severe vulnerabilities we provide fixes for 2 minor versions (the second number in the version string) back from the current stable version.