While on the subject of ports and packages, a security vulnerability may initially appear in the original distribution or in the port files. In the former case, the original software developer is likely to release a patch or a new version instantly. Update the port promptly with respect to the author's fix. If the fix is delayed for some reason, either mark the port as FORBIDDEN or introduce a patch file to the port. In the case of a vulnerable port, just fix the port as soon as possible. In either case, follow the standard procedure for submitting changes unless having rights to commit it directly to the ports tree.

Please make sure that the port's revision is bumped as soon as the vulnerability has been closed. That is how the users who upgrade installed packages on a regular basis will see they need to run an update. Besides, a new package will be built and distributed over FTP and WWW mirrors, replacing the vulnerable one. Bump PORTREVISION unless PORTVERSION has changed in the course of correcting the vulnerability. That is, bump PORTREVISION if adding a patch file to the port, but do not bump it if updating the port to the latest software version and thus already touched PORTVERSION. Please refer to the corresponding section for more information.