Users who find bugs are encouraged to report them to the Whonix issue tracker.
Once notified issues are reproduced and confirmed, developers discuss the problem in order to find a suitable workaround. All Whonix source code fixes and related matters are implemented as quickly as possible, and the finding is posted for the public benefit.
Users are kindly asked to privately report security bugs. Whonix developer Patrick Schleizer should be contacted via OpenPGP encrypted mail before the information is published. This allows the vulnerability to be patched without the Whonix user population being endangered, and the notifier can be credited with the finding(s) after the next Whonix release.
Whonix Package Upgrade Policy
Tickets that are resolved on the Whonix issue tracker are not automatically pushed to the stable (or even developer) version of Whonix. Stable package upgrades are rare, since they potentially risk destabilizing the Whonix platform and necessitating manual fixes by users to rectify the problem. This situation will change in Whonix 14 as it will become a rolling distribution, which means much more frequent updates to the stable, stable-proposed-updates, testers and developers repositories.
Issue tracker labels can be interpreted as follows:
- Reviewed: "Completed in the latest source code version of Whonix" (but not released). Further testing is required in the next Whonix developers-only or testers-only release.
- Resolved: "Completed in the development version of Whonix".
- There is no specific label to indicate status in the stable Whonix release.
Without a stable release manager and more developers, users should not expect upgrades in stable Whonix packages until Whonix 14, unless a critical security vulnerability is discovered. Fixes noted on the issue tracker will become available to all users after the next stable version release. Advanced users who do not wish to wait can of course manually apply fixes to the relevant package(s) before that time. 
- For example, the Whonix AppArmor profiles package frequently breaks functional Tor Browser use when later browser versions are released, and is a prime candidate for manual fixes.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.