QCBOR has not branched and is backwards compatible. The primary support is on the tip of the repository and most security fixes will be made there.
If a security fix is needed for an older version, please report and request it explicitly and it will be considered if it truly can't be closed out by a fix to the tip and upgrading to the tip.
Please report security vulnerabilities by sending email to lgl@island-resort.com AND posting it as a GitHub issue.
A GitHub issue will be filed for any vulnerability of substance. It will be marked with the label "security".
Laurence Lundblade maintains this code and will respond in a day or two with an initial evaluation.
Security fixes will generally be prioritized over other work, especially if the vulnerability is a significant one.
Vulnerabilities will be fixed promptly, but some may be more complex than others and take longer. If the fix is quick, it will usually be turned around in a few days.
If the vulnerability is rejected, an issue will be filed in GitHub and then closed with an explanation of why it was rejected. It will have the labels "security" and "wontfix". This is so there is a record of the filing.