# Security Policy

Security announcements are sent to zulip-announce@googlegroups.com,
so you should subscribe if you are running Zulip in production.

## Reporting a Vulnerability

We love responsible reports of (potential) security issues in Zulip,
whether in the latest release or our development branch.

Our security contact is security@zulip.com.  Reporters should expect a
response within 24 hours.

Please include details on the issue and how you'd like to be credited
in our release notes when we publish the fix.

Our [security
model](https://zulip.readthedocs.io/en/latest/production/security-model.html)
document may be a helpful resource.

## Supported Versions

Zulip provides security support for the latest major release, in the
form of minor security/maintenance releases.

We work hard to make
[upgrades](https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-to-a-release)
reliable, so that there's no reason to run older major releases.