Security updates are applied only to the latest release.
LittleCMS is located deep in the Linux dependency tree. So, security issues are real and should be addressed. The proposed process is quite simple, if you detect a potential security issue and you are able to create a patch, please send us the patch to analyse. We have an extensive test bed of apps and utilities using lcms, so we can check if all those goes fine. If you don’t want to create a patch and only want to report the vulnerability, that's ok too. And we will be very grateful. Just contact us.
Please avoid public advisories if possible, as doing that, hints how to use the flaw for malicious use.
Please don’t make noise to gain popularity, this can result in bad karma to you. Any CVE without reliable proof will be promptly disputed.
Please don’t use untrusted patches from 3rd parties. We had an incident years ago with so called “security experts” trying to add a back door by using a crafted patch.
Credits to vulnerability busters will be given on each release
After the patch proves to be harmless, I will send to the mailing list a signed mail with the patch attached. That is, you got a patch from upstream that upstream claims to be reasonably tested. I will apply the same checks that I do before a normal release. Please understand that this is a lot of work, and obviously it can fail as well, so the “no guarantee” clause of MIT license applies. If you choose to redistribute such patches, please make sure to include the mail, or at least the MIT license. By including the MIT license you prevent to get in legal trouble.
Please disclose it at our security advisory.