# Security policy Security announcements are sent to zulip-announce@googlegroups.com, so you should subscribe if you are running Zulip in production. ## Reporting a vulnerability We love responsible reports of (potential) security issues in Zulip, whether in the latest release or our development branch. Our security contact is security@zulip.com. Reporters should expect a response within 24 hours. Please include details on the issue and how you'd like to be credited in our release notes when we publish the fix. Our [security model](https://zulip.readthedocs.io/en/latest/production/security-model.html) document may be a helpful resource. ## Supported versions Zulip provides security support for the latest major release, in the form of minor security/maintenance releases. We work hard to make [upgrades](https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-to-a-release) reliable, so that there's no reason to run older major releases.