|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +This repository is published for research and learning purposes. It is **not** a production-grade project and does not have a formal long-term support (LTS) schedule. That said, critical security reports will be reviewed and addressed when possible. |
| 6 | + |
| 7 | +| Version / Branch | Supported | |
| 8 | +| ---------------- | --------- | |
| 9 | +| `main` | :white_check_mark: | |
| 10 | +| tagged releases | :x: | |
| 11 | +| older branches | :x: | |
| 12 | + |
| 13 | +> If you require a production-ready, actively maintained security posture, please consider using a mature/security-focused project or contact the maintainers before relying on this code in production. |
| 14 | +
|
| 15 | +--- |
| 16 | + |
| 17 | +## Reporting a Vulnerability |
| 18 | + |
| 19 | +If you discover a security vulnerability, please report it privately so we can investigate and, where appropriate, produce a coordinated fix. |
| 20 | + |
| 21 | +**Preferred reporting channels (in order):** |
| 22 | +1. **GitHub Security Advisories** — create a private security advisory for this repository. |
| 23 | +2. **Email ** — send details to **[email protected]** (PGP not currently published). |
| 24 | + |
| 25 | +### What to include in a report |
| 26 | +Please include as much of the following information as you can to help us triage quickly: |
| 27 | + |
| 28 | +- A short, descriptive title. |
| 29 | +- A clear description of the vulnerability and the affected component(s). |
| 30 | +- Step-by-step reproduction instructions or a minimal PoC (proof of concept) that demonstrates the issue. |
| 31 | +- The expected behavior vs. the observed behavior. |
| 32 | +- The environment(s) where the issue was observed (OS, architecture, Rust version, crate versions, etc.). |
| 33 | +- Any suggested fixes or mitigations (optional). |
| 34 | +- Contact information so we can follow up (email or GitHub handle). |
| 35 | + |
| 36 | +**Do not** post vulnerabilities in public issues or pull requests — this may expose users to risk before a fix is available. |
| 37 | + |
| 38 | +--- |
| 39 | + |
| 40 | +## Response Process & Timeline |
| 41 | + |
| 42 | +- **Acknowledgement:** You can expect an initial acknowledgement within **24–72 hours** of receipt. |
| 43 | +- **Triage:** We will assess severity and impact and provide interim guidance (e.g., mitigation steps) as needed. |
| 44 | +- **Fix & Disclosure:** If the report is confirmed, we will create a fix (or mitigation) and coordinate disclosure. We aim to publish a public disclosure only after a patch or mitigation is available. |
| 45 | +- **If we determine the report is not a vulnerability** (false positive or out of scope), we will explain our reasoning and close the report. |
| 46 | + |
| 47 | +--- |
| 48 | + |
| 49 | +## Confidentiality & Credit |
| 50 | + |
| 51 | +- We will treat reports confidentially while investigating. |
| 52 | +- If you would like credit in a public advisory or the changelog, please state that preference in your report. We will credit discoverers unless they request anonymity. |
| 53 | + |
| 54 | +--- |
| 55 | + |
| 56 | +## Important Notes |
| 57 | + |
| 58 | +- This repository is primarily for research and educational use. It may contain experimental code, unsafe examples, or intentionally insecure samples for learning — **do not** run in production without a security review. |
| 59 | +- If you require an encrypted communication channel (PGP), respond to the initial acknowledgment with that request and we will arrange it if possible. |
| 60 | + |
| 61 | +Thank you for helping improve the security of this project. |
0 commit comments