Quality-time has not been hardened yet. We advise against running Quality-time internet-facing or in an otherwise untrusted environment.
Starting with release v4.6.0-rc.4, an SBOM is generated for each release. The GitHub Actions release workflow creates an Software Bill of Materials (SBOM) for the release, which can be found under the "Artifacts" header of the workflow run.
Only the latest version of Quality-time is currently being supported with security updates.
You can privately report a vulnerability issue in this repository's issue tracker.