In general, only the latest released avif version is supported and will receive updates.

To report a security vulnerability, please send an email to Julian+Security at GrayVines.com with subject line SECURITY (avif).

I will do my best to respond within 48 hours to acknowledge the message and discuss further steps.

If the vulnerability is accepted, an advisory will be sent out via GitHub's security advisory functionality.

For non-sensitive discussion related to this policy itself, feel free to open an issue on the issue tracker.