Kokkos Kernels will issue vulnerability fixes in the develop branch of the project repository. Typically a patch release will be issued shortly after a vulnerability is detected and fixed. The project does not typically issue patch releases for older versions and if it happens, announcements will be made on our website and/or slack channel.

To report a security issue, please email lberge@sandia.gov and srajama@sandia.gov with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue. Our vulnerability management team will respond within 5 working days of your email. If the issue is confirmed as a vulnerability, we will open a Security Advisory. This project follows a 90 day disclosure timeline.