Please do not report security vulnerabilities through public GitHub issues.
To report a vulnerability privately, use GitHub Security Advisories.
Please include as much detail as possible: description of the issue, steps to reproduce, potential impact, and any suggested mitigations.
You can expect an acknowledgement within 3 business days. We will work with you to understand the scope of the issue and coordinate a fix before any public disclosure.
Once a fix is available, we will:
- Release a patched version
- Publish a GitHub Security Advisory
- Submit an advisory to the RustSec Advisory Database if applicable
Security fixes are applied to the latest released version. We do not backport fixes to older versions unless the impact is severe and a backport is straightforward.