As this project has not yet reached 1.0.0
, all releases are considered
mutually incompatible by default under SemVer.
Moreover, all releases other than the latest one are considered obsolete.
While the project is in this stage, security fixes will only be applied to the
latest 0.x.y
release. If the fix does not necessitate breaking changes or
major dependency upgrades, y
will be incremented. If more work is necessary,
x
will be incremented prior to re-releasing.
Please don't hesitate to email me if you think you've found a security vulnerability in pyHanko or one of its dependencies.
Depending on your preferences, you can either contact me at [email protected]
,
or use the contact information and PGP key that are listed
on my website. I'll do my best to get back to you within 24 hours
to assess the scope of the issue. We can discuss severity, possible fixes,
mitigations and disclosure timelines over email. In the meantime, standard
responsible disclosure practices apply.
Proof-of-concept code and/or sample documents are appreciated if available.
Note that code analysis tools may report various issues regarding the use of weak or outdated cryptographic algorithms, in particular in the code that handles file encryption and decryption. Usually, these relate to historical baggage in the PDF standard, and therefore they can't be addressed within pyHanko without breaking compatibility with other PDF tooling.
Keep that in mind, but when in doubt, report the issue anyway. Better safe than sorry.