Six Labors provides security fixes only for the latest major version of each library.
Older major versions are end-of-life and do not receive security fixes.
Users must upgrade to the latest major version to receive security fixes.
| Version | Supported |
|---|---|
| Latest major version | Yes |
| Older major versions | No |
Security fixes, if any, are provided at Six Labors' discretion.
This policy does not create any obligation to provide support, maintenance services, SLAs, custom fixes, hosted services, managed services, operational monitoring, professional services, consulting, or certification of customer products.
Please report suspected security vulnerabilities using GitHub private vulnerability reporting for the relevant Six Labors repository, where available.
If GitHub private vulnerability reporting is not available for a repository, please report suspected security vulnerabilities by contacting Six Labors through the contact details published on the Six Labors website.
Do not report security vulnerabilities through public GitHub issues.
When reporting a vulnerability, please include as much relevant information as possible:
- affected package and version
- target framework and runtime
- operating system
- input file or minimal reproduction, if safe to share
- expected and actual behavior
- potential security impact
- whether you believe the issue is being actively exploited
Six Labors may review reported vulnerabilities and determine whether they are security issues affecting a supported version.
A report may be declined or closed without action if, in Six Labors' opinion, it:
- is not reproducible
- does not affect a supported version
- affects only an unsupported or end-of-life version
- is not a security vulnerability
- depends on unsafe, unsupported, or unintended use
- depends on a vulnerable application, environment, dependency, configuration, or deployment outside the Six Labors library itself
- lacks sufficient information for assessment
- is duplicative
- has already been fixed
- is otherwise outside the scope of this policy
If a vulnerability is accepted, Six Labors may handle it through GitHub Security Advisories and, where appropriate, CVE assignment.
Six Labors does not guarantee any response time, fix time, release date, advisory publication date, CVE assignment, workaround, mitigation, or particular outcome for any report.
This policy applies only to security vulnerabilities in Six Labors libraries themselves.
This policy does not apply to:
- customer applications
- customer products
- customer deployments
- customer infrastructure
- customer data
- third-party services
- unsupported versions
- end-of-life versions
- forks or modified versions
- usage outside the documented or intended behavior of the relevant library
Organizations using Six Labors libraries are responsible for assessing, securing, testing, monitoring, updating, and maintaining their own applications, products, deployments, infrastructure, and supply chains.
Six Labors libraries are general-purpose software libraries.
They are not cybersecurity products, identity or access management systems, password managers, operating systems, browsers, firewalls, network management tools, SIEM tools, hypervisors, container runtimes, or other Cyber Resilience Act important or critical product classes.
If a Six Labors library is treated as a product with digital elements under the Cyber Resilience Act, Six Labors assesses it as an ordinary software component.
Organizations incorporating Six Labors libraries into products made available on the EU market are responsible for assessing and meeting their own regulatory obligations for those products, including any obligations under the Cyber Resilience Act.
Six Labors does not provide support, maintenance services, SLAs, managed services, hosted services, operational monitoring, custom fixes, professional services, consulting, or certification of customer products.
Security vulnerabilities in supported Six Labors libraries are handled through the GitHub Security Advisory process for the relevant repository, where appropriate.
From 11 September 2026, if Six Labors becomes aware of credible active exploitation of a vulnerability in a supported Six Labors library, or a severe security incident affecting a supported Six Labors library, Six Labors may report the matter through the applicable Cyber Resilience Act reporting mechanism where legally required.
Six Labors libraries are provided in accordance with their applicable license terms.
Nothing in this policy creates any warranty, representation, guarantee, support obligation, maintenance obligation, service commitment, regulatory certification, or assumption of responsibility for any customer product, customer deployment, customer compliance obligation, or third-party system.