At any point in time, we only support the latest version of har2tree. There will be no security patches for other releases (tagged or not).
In the case of a security vulnerability report, we ask the reporter to send it directly to CIRCL, if possible encrypted with the following GnuPG key: CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5.
If you report security vulnerabilities, do not forget to tell us if and how you want to be acknowledged and if you already requested CVE(s). Otherwise, we will request the CVE(s) directly.