Security alerts are published here: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Exiv2 We open an issue with the label "Security" on GitHub and fix it. It doesn't get special treatment and will be included in the next release of the branch.

Team Exiv2 does not back-port security (or any other fix) to earlier releases of the code. An engineer at SUSE has patched and fixed some security releases for Exiv2 v0.26 and Exiv2 v0.25 in branches 0.26 and 0.25. Exiv2 has provided several Dot Release for v0.27. Exiv2 has never issued a Security Release.

The version numbering scheme is explained below. The design includes provision for a security release. A Dot Release is an updated version of the library with security PRs and other changes. A Dot Release offers the same API as its parent. A Security Release is an existing release PLUS one or more security PRs. Nothing else is changed from it parent.

Users can register on GitHub.com to receive release notices for RC and GM Releases. Additionally, we inform users when we begin a project to create a new release on FaceBook (https://facebook.com/exiv2) and Discuss Pixls (https://discuss.pixls.us). The announcement of a new release project has a preliminay specification and schedule.