Thank you for your collaboration keeping Thymeleaf safe and secure. If you believe you have found a security issue in Thymeleaf, please notify us so that we can work with you in its prompt resolution.

• Let us know as soon as possible by sending an email to security@thymeleaf.org.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. Especially, do not create a GitHub issue ticket yourself talking about the vulnerability. We may publicly disclose the issue before resolving it, but only if appropriate.

We will credit the reporter of a confirmed vulnerability in the GitHub ticket created for publishing it (typically once it is fixed).

We reserve the right to consider out of the scope of Thymeleaf's security:

• Developer bad practices and inadequate uses of Thymeleaf that effectively create the vulnerability in the applications being developed with Thymeleaf.
• Attacks requiring physical access to the machine Thymeleaf is running on.
• Issues in Thymeleaf's software dependencies which can be reported to these dependencies' maintainers.

• 3.1.x is the current development line. This version is not recommended for production use yet.
• 3.0.x is the latest production line (GA as of May 2016) and is under active support.
• 2.1.x and previous versions are no longer supported. No further maintenance and security patches are planned in those lines.

At this point, we recommend upgrading to the latest Thymeleaf 3.0.x release.