# Security policy Security announcements are sent to zulip-announce@googlegroups.com, so you should subscribe if you are running Zulip in production. ## Reporting a vulnerability We love responsible reports of (potential) security issues in Zulip, whether in the latest release or our development branch. Our security contact is security@zulip.com. Reporters should expect a response within 24 hours. Please include details on the issue and how you'd like to be credited in our release notes when we publish the fix. Our [security model][security-model] document may be a helpful resource. ## Supported versions Zulip provides security support for the latest major release, in the form of minor security/maintenance releases. We work hard to make [upgrades][upgrades] reliable, so that there's no reason to run older major releases. See also our documentation on the [Zulip release lifecycle][release-lifecycle]. [security-model]: https://zulip.readthedocs.io/en/latest/production/security-model.html [upgrades]: https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-to-a-release [release-lifecycle]: https://zulip.readthedocs.io/en/latest/overview/release-lifecycle.html