Security updates will be provided for the most recent minor releases of all packages.

Updates for earlier releases may be considered, but are not guaranteed.

To report a suspected security vulnerability, please do so on GitHub via this form: https://github.com/messageformat/messageformat/security/advisories/new

You may expect a response within 48 hours.

For extended support or a stronger guarantee, please reach out to the maintainers to discuss a support agreement.

If you do not receive an acknowledgement of your report within 6 business days, you may escalate to the OpenJS Foundation CNA at security@lists.openjsf.org.

If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.