The following versions of this project are currently supported with security updates:
| Version | Supported |
|---|---|
| main / release | ✅ |
| older versions | ❌ |
If you are using an unsupported version, please upgrade before reporting issues.
If you believe you have found a security vulnerability, please do not open a public issue.
Instead, report it privately using one of the following methods:
- Go to the Security tab of this repository
- Click Report a vulnerability
- Fill in the details
- Email: canvas@it.ox.ac.uk
- Please include:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Any relevant logs, screenshots, or proof-of-concept code
After you report a vulnerability:
- We will acknowledge receipt as soon as possible
- We will investigate and assess the issue
- We may request additional information
- We will work on a fix and coordinate a responsible disclosure
We ask that you give us reasonable time to address the issue before making any public disclosure.
We follow a responsible disclosure process:
- Security issues will be fixed as quickly as reasonably possible
- A public advisory will be published once a fix is available
- Credit will be given to reporters where appropriate (unless anonymity is requested)
This security policy applies to:
- This repository’s source code
- Official releases and artefacts
Out of scope:
- Issues caused by unsupported versions
- Third-party dependencies (please report these to the relevant upstream project)
- Misconfiguration by end users
We appreciate the efforts of security researchers and users who help keep this project and its users safe.