# Security Policy ## Supported Versions We are an open source project with no corporate sponsor and no formal "support". In practice, we support the latest released version and work with OS vendors to make it easy for them to backport fixes for their distributed packages. For some security issues, we will issue a patch-release which has just a simple fix. We also often have `exim-VERSION+fixes` branches with small things which we recommend that vendors use. For postmasters installing Exim manually, we recommend always using the latest released tarball. ## Reporting a Vulnerability Our security page is at . It contains the current contact point and list of PGP keys to use for encrypting particularly sensitive information. This also links to our documentation and the chapter on security considerations. Our security release process is at . This covers what we do in handling vulnerability reports. We have no bug bounty program of our own; we're far too disparate a group of volunteers for such things.