gunicorn/SECURITY.md
Benoit Chesneau 5d819cf360 release: 26.0.0
- Bump version_info to (26, 0, 0)
- Update SECURITY.md supported releases (26.0.0, 25.3.0)
- Add 26.0.0 entry to news.md and 2026-news.md covering eventlet
  removal, ASGI framework compatibility suite, RFC 9110/9112
  request-target and header hardening, smuggling fixes, HEAD/204/304
  body framing, WebSocket close handshake compliance, HTTP/2 ASGI
  stream completion, early-hints validation, framework fixes
  (Django/Litestar/Quart/BlackSheep), and gunicorn_h1c >= 0.6.5
2026-05-05 08:35:19 +02:00

30 lines
1.2 KiB
Markdown

# Security Policy
## Reporting a Vulnerability
**Please note that public Github issues are open for everyone to see!**
If you believe you are found a problem in Gunicorn software, examples or documentation, we encourage you to send your
report privately via [email](mailto:security@gunicorn.org?subject=Security%20issue%20in%20Gunicorn), or via Github
using the *Report a vulnerability* button in the [Security](https://github.com/benoitc/gunicorn/security) section.
## Supported Releases
Please target reports against :white_check_mark: or current master. Please understand that :x: will
not receive further security attention.
| Version | Status |
| ------- | ------------------ |
| 26.0.0 | :white_check_mark: |
| 25.3.0 | :white_check_mark: |
| 24.1.1 | :x: |
| 23.0.0 | :x: |
| 22.0.0 | :x: |
| < 22.0 | :x: |
## Python Versions
Gunicorn runs on Python 3.10+, supporting Python versions that are still maintained by the PSF.
We *highly recommend* the latest release of a [supported series](https://devguide.python.org/versions/)
and will not prioritize issues affecting EoL environments.