Security updates are provided for the latest stable release, and are published as patch releases. For instance, if the latest stable version is 3.8.2, reported vulnerabilities affecting it will be fixed by releasing further patch releases (such as 3.8.3). Accumulated patches are included in the next minor or major release (e.g. 3.9 or 4.0)
Previous releases do not get security updates, so we recommend always running the latest stable release.
Our core team will try their best to fix any valid vulnerability that is reported to them.
You can privately report a vulnerability to the OpenRefine team by creating a security advisory on GitHub. This report will be kept private while it is being assessed by the team.
Keep in mind that OpenRefine is designed to run locally on a user's PC, while also making network calls across the internet only upon a user's choice or command. As such, certain vulnerabilities might not apply to OpenRefine's design. In doubt, please submit a report anyway.