Security fixes are prioritized for the current master branch and the most recent release artifacts produced from it.
Do not open public GitHub issues for suspected vulnerabilities.
Use one of the following private channels:
- GitHub Security Advisories (preferred): open a private advisory in this repository.
- Maintainer private contact path (fallback): if advisory flow is unavailable, request private maintainer contact and include full details.
Include the following in your report:
- Vulnerability description and impact
- Reproduction steps or proof-of-concept
- Suspected affected components/crates
- Commit/version context
- Suggested mitigation (if known)
- Initial triage target: within 3 business days.
- Severity and scope confirmation follows triage.
- Maintainers provide remediation plan and expected fix window after confirmation.
Please allow time for a patch before public disclosure.
When a fix is ready:
- Patch PR/release is prepared.
- Advisory/changelog notes describe affected versions and upgrade path.
- Reporter credit is provided on request.