# Security Policy for json-web-token

## Supported Versions

We actively address security vulnerabilities for the following versions of `json-web-token`:

| Version | Supported          |
| ------- | ------------------ |
| 3.x.x   | :white_check_mark: |

## Reporting a Vulnerability

We encourage the responsible disclosure of security vulnerabilities. If you have discovered a potential security issue in the `json-web-token` module, we prefer that you report it to us through a GitHub pull request.

### How to Report a Security Vulnerability through a Pull Request:

1. **Fork the Repository**: Create a fork of the `json-web-token` repository.
2. **Create a New Branch**: Make your changes in a new branch in your fork.
3. **Describe the Vulnerability**: In your pull request, provide a detailed description of the vulnerability. This should include:
   - The version of `json-web-token` affected.
   - A comprehensive description of the vulnerability.
   - Steps to reproduce the issue or a code snippet, if possible.
   - Possible impacts of the vulnerability.
4. **Submit the Pull Request**: Submit the pull request to our repository for review.

### Our Response Process:

- We will review your pull request and may request additional details.
- If the vulnerability is confirmed, we will work on a fix and merge your pull request.
- We will keep you informed throughout the process.

### Public Disclosure Timing:

- We request that you do not disclose the vulnerability publicly until we have had the chance to review and address it.
- Coordinated disclosure is vital to protect the community. We will work with you to determine the appropriate time for public disclosure.

## Policy Updates

This security policy is subject to change. We recommend users to periodically review this policy for any updates. Your contributions are vital in keeping `json-web-token` and the open-source community secure.

Thank you for supporting the security of `json-web-token`.