We will support the latest release and main development branch with security updates.

If you believe to have found a vulnerability in librespot itself or as a result from one of its dependencies, please report it by contacting one or more of the active maintainers directly, allowing no less than three calendar days to receive a response.

If you believe that the vulnerability is public knowledge or already being exploited in the wild, regardless of having received a response to your direct messages or not, please create an issue report to warn other users about continued use and instruct them on any known workarounds.

On your report you may expect feedback on whether we believe that the vulnerability is indeed applicable and if so, when and how it may be fixed. You may expect to be asked for assistance with review and testing.